Apple announced the expansion of its Security Bounty Program designed to incentivize security researchers in identifying vulnerabilities across its platforms. The program now offers maximum rewards of $2 million for zero-click remote code execution exploit chains that achieve goals similar to sophisticated spyware attacks. This represents a doubling of the previous top award with additional bonuses for vulnerabilities affecting Lockdown Mode or discovered in beta software potentially reaching over $5 million.
New categories include one-click WebKit sandbox escapes worth up to $300 000 and wireless proximity exploits over any radio up to $1 million. The initiative applies to the latest software and hardware versions including iOS iPadOS macOS and related systems. Researchers can submit findings through the Apple Security Research portal with updates effective November 2025.
The updated program emphasizes complete exploit chains over individual bugs with rewards structured by impact and complexity. Zero-click RCE chains targeting core system functions earn up to $2 million reflecting their use in state-sponsored attacks without user interaction. One-click exploits via WebKit or similar vectors receive up to $1 million while broad unauthorized iCloud access merits the same amount.
Physical access attacks on locked devices enabling data compromise qualify for up to $500 000 and app sandbox escapes up to $300 000. Gatekeeper bypasses on macOS now carry $100 000 rewards previously unaddressed. Low impact issues outside core categories receive $1 000 in addition to CVE credit and researcher acknowledgment. The program prioritizes issues in production software with the latest security protections such as sandboxing and encryption.
Apple has also introduced a bonus structure doubling base rewards for qualifying submissions. Vulnerabilities bypassing Lockdown Mode designed for high-risk users like journalists and activists qualify for multipliers up to 2x. Discoveries in beta software including regressions in unreleased versions receive similar bonuses recognizing early reporting. Combined these can exceed $5 million for the most severe chains such as zero-click exploits in Lockdown Mode betas.
The system applies to chains demonstrating persistent code execution or data exfiltration without user consent. Researchers must provide reproducible proofs of concept with captured Target Flags for validation. Apple verifies submissions through its security team issuing payments upon confirmation even before public patches. This incentivizes proactive reporting on emerging risks and unpatched versions.
Eligible submissions target Apple platforms including iOS iPadOS macOS tvOS watchOS and associated services like iCloud and App Store. Researchers must demonstrate exploits on the latest stable releases with full hardware and software configurations. Reports require detailed reproduction steps proofs of concept and impact assessments via the Apple Security Research portal. The program accepts submissions from individuals teams and organizations worldwide with no invitation required since 2020.
Payouts occur through wire transfer or equivalent in local currency with taxes handled per jurisdiction. Apple provides a dedicated team for triage and verification with response times under 14 days. High-value reports receive priority escalation. Confidentiality agreements protect submissions until patches deploy. The portal includes templates and examples for effective reporting.
