Apple has aggressively increased its highest bug bounty compensation to $2 million to expedite identifying critical vulnerabilities.
Targeting exploit chains that are as sophisticated as mercenary spyware assaults, this update is particularly focused on those that infiltrate devices without user interaction. One of the most excellent bounty offerings in the computer industry, the most severe flaws can earn over $5 million plus extras.
Driving research on complex exploit chains
The new program, launching in November 2025, focuses on complete attack chains rather than isolated flaws.
Apple’s Vice President of Security Engineering Ivan Krstić told WIRED, “We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks.” Beyond the initial prize, researchers gain extra points for overcoming Apple’s Lockdown Mode, a security measure for high-risk customers, and for beta software issues.
Apple’s upgrade increases payment categories for various attacks. A one-click exploit chain now earns $1 million, four times more than before. Wireless proximity assaults from neighbouring radios can earn $1 million, while physical device access attacks can earn $500,000.
Additionally, Apple introduced a “Target Flags” system that allows security researchers to prove exploit effectiveness and receive faster payments once verified, without waiting for software patches.
Encouraging a deeper security focus
This redesign demonstrates Apple’s acknowledgement of the increasing complexity of cybersecurity threats that affect its devices.
The digital behemoth is offering unprecedented financial incentives to the world’s top external vulnerability researchers to secure its ecosystem.
Since the inception of its public bug bounty program in 2020, Apple has distributed more than $35 million to more than 800 security professionals, illustrating its proactive approach to defence.
The expanded compensation plan highly values Apple’s ecosystem vulnerabilities, especially those exploited by mercenary spyware operators. As one leading security report notes, “This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of.”