Apple has significantly increased its bug bounty rewards, offering up to $2 million for critical vulnerabilities — the highest payout currently available from any major technology company. The move underscores Apple’s growing focus on securing its ecosystem against increasingly sophisticated cyber threats and incentivizing the global security community to report vulnerabilities responsibly.
A Major Increase for Major Threats
The new maximum payout applies specifically to zero-click, full-chain exploits that can compromise Apple devices without user interaction. These types of attacks, often targeting iOS and macOS, are the most valuable on the underground exploit market due to their stealth and potential to affect millions of users.
Apple’s previous top reward was $1 million, introduced in 2019 when the company first opened its bounty program to all researchers. By doubling the cap, Apple signals not only a willingness to compete with black-market prices but also a desire to reinforce trust between independent security experts and its internal teams.
An Apple spokesperson confirmed the adjustment, saying the expanded program “reflects the evolving threat landscape and the importance of collaboration with the security research community.”
Why the Increase Matters
Zero-day exploits — vulnerabilities unknown to software makers — have become a lucrative commodity, sometimes fetching several million dollars through private brokers or state-sponsored buyers. By offering comparable legitimate payouts, Apple aims to deter the sale of vulnerabilities to unethical or criminal actors.
Industry analysts note that the change also positions Apple as a leader in ethical security research compensation. Competing programs from Google, Microsoft, and Meta currently offer maximum rewards of around $1 million or less for equivalent categories of exploits.
Apple’s higher ceiling could shift the dynamics of vulnerability disclosure, encouraging more researchers to share discoveries responsibly rather than seeking alternative markets.
Expanded Coverage and Transparency
Beyond the headline figure, Apple is also expanding eligibility and refining submission procedures to make the program more accessible. Researchers can now submit findings across a wider range of products, including Apple Vision Pro, watchOS, and HomePod, reflecting the company’s rapidly diversifying hardware portfolio.
In addition, the company is introducing a new “Transparency Tier” for researchers whose submissions directly result in measurable security improvements. These contributors will be credited in Apple’s security bulletins and invited to private briefings about upcoming platform protections — an effort to strengthen long-term collaboration.
The company says it’s also improving response times for verified reports, addressing a long-standing criticism among researchers who claimed that Apple’s previous program often took months to acknowledge or resolve issues.
A Shift in Security Strategy
The increase aligns with Apple’s broader shift toward proactive security design, particularly through its new “Secure Enclave modernization” and on-device AI protection frameworks introduced with iOS 18 and macOS Sequoia.
Apple’s bug bounty program now covers exploits that target on-device machine learning models, a new vector of potential risk as generative AI becomes more deeply embedded in iPhones, Macs, and Apple Silicon devices.
By incentivizing early discovery in this area, Apple hopes to stay ahead of attackers exploring AI-driven attack methods or data extraction techniques.
Competing with the Exploit Market
The black market for zero-day exploits has grown into a multimillion-dollar industry, with private brokers often offering higher payouts than official programs. For years, companies like Apple have struggled to compete with those prices while maintaining transparency and ethical boundaries.
With this latest move, Apple is sending a clear message that it’s willing to match the market — legally. Security experts say the higher reward may also help Apple build stronger relationships with independent researchers, who are often first to identify high-severity flaws.
“This change makes responsible disclosure more appealing than ever,” said independent researcher Ryan Pickren, who previously earned over $500,000 from Apple for reporting camera and Safari vulnerabilities. “It shows Apple is serious about valuing our work.”
The Global Context
Apple’s announcement comes amid a rising wave of cybersecurity legislation and international pressure on tech giants to better protect users’ data. Governments, including those in the U.S. and EU, have called for stricter vulnerability management policies — a space where bug bounty programs play a crucial preventive role.
By offering top-tier rewards and improved transparency, Apple strengthens its image as one of the most secure consumer tech ecosystems — an essential advantage as devices become more interconnected and AI-enabled.
What Researchers Should Know
Security researchers can register and submit findings through Apple’s Security Bounty portal. The company evaluates each report based on impact, reproducibility, and scope. Rewards vary by exploit category, ranging from smaller payouts for minor bugs to the new $2 million top tier for systemwide, persistent, zero-click vulnerabilities.
Eligible platforms include iOS, macOS, iPadOS, watchOS, tvOS, visionOS, and key services tied to Apple ID and iCloud.
Apple encourages all participants to use responsible disclosure practices, meaning they report vulnerabilities directly to the company without publicizing them until patches are available.
The program’s update also coincides with Apple’s latest push to hire more in-house security engineers and expand its Red Team — internal experts who simulate sophisticated attacks to test the company’s defenses.
