Danny Weber
15:56 10-10-2025
© A. Krivonosov
Apple revamps its bug bounty in November, doubling spyware-level rewards to $2M and offering up to $5M for critical flaws, including Lockdown Mode bypasses.
Apple has announced an update to its bug bounty program, set to begin in November and offering some of the highest rewards in the industry. The company has doubled the top payout for exploit chains comparable in complexity to spyware attacks, raising it from $1 million to $2 million. For especially critical vulnerabilities—including bugs in beta software or a Lockdown Mode bypass in Safari—researchers can receive up to $5 million.
Payouts for other attack scenarios have risen sharply, too. One-click exploits now qualify for up to $1 million instead of $250,000. The maximum reward for vulnerabilities that require physical proximity to a device increases to $1 million, while gaining access to locked devices can bring up to $500,000. In addition, Apple will pay up to $300,000 for an attack chain that combines code execution in WebContent with a sandbox escape.
According to Apple’s vice president for security Ivan Krstić, the company has paid more than $35 million to over 800 researchers in recent years. He noted that large payouts are uncommon, though Apple has more than once issued $500,000 for critical bugs.
The company emphasized that all documented system-level attacks on iOS have in practice been linked to so-called mercenary spyware, most often used by government entities for targeted surveillance. New protections, including Lockdown Mode and Memory Integrity Enforcement, make such attacks harder, even as adversaries continue to evolve. By lifting rewards, Apple is signaling where it wants researchers to focus: on the most consequential weaknesses that can shift the balance in real-world security.