Find the iPhone vulnerability, and Tim Cook will give you $2 million.

Discover an ordinary vulnerability, and you can get a maximum reward of $2 million (equivalent to about 14.2 million RMB).

Find a special vulnerability, and the bonus can be as high as $5 million (equivalent to about 35.6 million RMB).

Apple has really spared no expense in its security investment this time.

The above is Apple's newly upgraded security bounty program.

Apple itself has emphasized:

This time, we've doubled the maximum base bonus to $2 million. This is not only unprecedented in the industry but also the highest amount among all known bounty programs.

However, this vulnerability is not an ordinary one. It's a vulnerability that can cause harm equivalent to that of complex commercial surveillance software attacks.

Let's take a closer look below.

Increased Reward Amounts for Multiple Vulnerability Categories

Since launching the vulnerability bounty program nearly a decade ago, Apple has always been known for setting high maximum bonuses. It reached $200,000 in 2016 and increased to $1 million in 2019.

As of now, the program has paid out over $35 million (equivalent to about 250 million RMB) in rewards to more than 800 researchers.

Regarding this, Ivan Krstić, the vice president of Apple's Security Engineering and Architecture, said:

We've set bonuses worth millions of dollars, and the intention is very clear.

We hope that top researchers who can crack the most difficult vulnerabilities, deal with the most complex threats, especially those who can simulate the attack methods of commercial surveillance software, can get generous rewards commensurate with their technical capabilities, time, and effort.

In this upgrade of the security bounty program, Apple has doubled the maximum base bonus to $2 million, which shows how much it values its own security system.

Moreover, Apple has further increased the base bonus by offering additional bonuses for finding vulnerabilities in bypassing the locked mode and beta software, which means the maximum amount will exceed $5 million.

In addition to the record - high maximum bonus, Apple has also raised the reward standards for several other vulnerability categories to further encourage the security research community to explore key technology areas.

For example, for two areas that have not been successfully breached since their release - completely bypassing Gatekeeper and achieving unauthorized iCloud access, the reward amounts have been increased to $100,000 and $1 million respectively.

Furthermore, to cover more attack surfaces, Apple has further expanded the bounty categories. Successfully finding a one - click WebKit sandbox escape can earn a $300,000 reward, and finding any wireless proximity vulnerability in any radio implementation can even earn a $1 million reward.

In addition to rewarding the discovery of vulnerabilities, Apple has also launched Target Flags. This is a new way for researchers to objectively prove the exploitability of certain top - tier bounty categories (including remote code execution, transparency, consent, and control (TCC) bypass) and help determine eligibility for specific rewards.

Researchers who submit reports with Target Flags will be eligible for accelerated rewards. Once the research is received and verified, the rewards will be processed immediately, even if the fix has not been released.

In 2022, Apple established a $10 million cybersecurity grant to support civil society organizations in investigating highly targeted commercial surveillance software attacks.

Last month, with the launch of the iPhone 17, a security protection feature - Memory Integrity Enforcement - emerged, aiming to enhance the iPhone's ability to resist the most common and frequently exploited software vulnerabilities.

For this reason, Apple has announced that it will provide 1,000 iPhone 17s to civil society organizations. These devices will be distributed to special groups at high risk, especially civil society members who may be targeted by commercial surveillance software.

Finally, Apple said that this update will take effect in November 2025. At that time, the newly added and expanded bounty categories, reward standards, and bonus details will be fully announced on the Apple Security Research website.

Let's wait and see!

Reference Links:

[1]https://9to5mac.com/2025/10/10/apple-announces-major-evolution-of-its-security-bounty-program-2-million-top-award-more/

[2]https://www.wired.com/story/apple-announces-2-million-bug-bounty-reward/

[3]https://security.apple.com/blog/apple-security-bounty-evolved/

This article is from the WeChat official account “QbitAI”. Author: Shiling. Republished by 36Kr with permission.