Apple has unveiled the most lucrative bug bounty program in the tech industry, doubling its top single reward to $2 million—with potential bonuses pushing total payouts beyond $5 million. The dramatic overhaul, set to take effect in November 2025, directly responds to the rising threat of mercenary spyware attacks that have targeted journalists, activists, and high-profile individuals worldwide.
The timing is significant: just months after security researchers confirmed zero-click spyware attacks exploited iPhone vulnerabilities to target European journalists, Apple is raising the stakes for security researchers who can find similar flaws before malicious actors do.
Since launching its public bounty program in 2020, Apple has awarded over $35 million to more than 800 researchers, with several reports already earning $500,000.
The new structure prioritizes real-world threats over theoretical vulnerabilities. Zero-click exploits (attacks requiring no user interaction) now command the $2 million maximum, while one-click attacks earn up to $1 million—quadruple the previous amount. Wireless proximity attacks and complete Gatekeeper bypasses on macOS also see substantial increases to $1 million and $100,000, respectively.
Perhaps most innovative is Apple's introduction of "Target Flags," a capture-the-flag system built directly into iOS, iPadOS, macOS, and other Apple operating systems.
These flags allow researchers to objectively demonstrate vulnerabilities and receive accelerated payment—even before fixes are deployed. "Confirmed rewards will be issued in an upcoming payment cycle rather than when a fix becomes available," Apple states, streamlining what has traditionally been a months-long process.
The company is also launching a special 2026 initiative providing 1,000 iPhone 17 devices equipped with Memory Integrity Enforcement to civil society organizations protecting at-risk individuals.
This hardware-level protection, which Apple calls "the most significant upgrade to memory safety in the history of consumer operating systems," aims to counter increasingly sophisticated mercenary spyware that costs millions to develop.
For security researchers, the message is clear: Apple wants the white hats to find vulnerabilities before the black hats do—and it's willing to pay top dollar to make it happen.