Apple has announced a big increase in the top rewards for security researchers who find serious flaws in their platforms. During a speech at the Offensive Security event Hexacon 2025, Ivan Krstić, Apple’s head of Security Engineering and Architecture, shared that the highest payout now reaches $2 million for exploit chains that can mimic the effects of advanced spyware attacks. If researchers stack this with other bounty rewards, they could earn up to $5 million for uncovering a series of vulnerabilities.

This change is part of Apple’s effort to encourage more security research. Starting in November, the company is also increasing rewards across many categories. For example, they’re offering $100,000 for bypassing Gatekeeper, which is Apple’s security feature that controls app permissions. They’re also offering $1 million for gaining broad unauthorized access to iCloud accounts. Interestingly, Apple says no one has yet demonstrated a successful exploit in these specific areas, but they’re paying large sums in case someone does.

In addition, Apple has added bonuses for discovering exploits like sandbox escapes in WebKit, and attacks that work through nearby wireless signals. These high payouts are designed to motivate researchers to find vulnerabilities before bad actors do.

Why does Apple pay so much? The company started offering bug bounties only in 2019, but since then, the threat landscape has changed. Governments and security firms have begun launching serious attacks against Apple users, especially those who are activists, journalists, or officials. In response, Apple introduced Lockdown Mode in 2022, a high-security setting for very targeted users. The company also committed $10 million to support organizations that investigate and stop targeted cyberattacks.

Despite these efforts, Apple faces ongoing challenges. Authoritarian governments, like the UK, are pushing for back doors into encrypted data, which weakens security for everyone. Apple recognizes that it must keep investing heavily to defend its users against such threats, especially as attackers become more sophisticated.

One of the latest security measures announced alongside the iPhone 17 is Memory Integrity Enforcement (MIE). This new feature, developed over five years, helps protect against common memory bugs that hackers often use. These bugs are frequently exploited in surveillance tools used by repressive regimes against activists, journalists, and political figures. Apple says that most real-world iOS attacks come from such highly advanced spyware, which cost millions to develop and target only a small number of people.

To help protect at-risk groups, Apple is donating 1,000 iPhone 17s to human rights organizations that work with vulnerable individuals. The combination of MIE, Lockdown Mode, and other security features makes these sophisticated attacks more expensive and difficult to carry out. Still, Apple knows the fight isn’t over, which is why it’s boosting rewards for discovering vulnerabilities.

Apple’s senior security officer, Ivan Krstić, explained the company’s motivation in an interview with Wired. He said Apple feels a moral obligation to protect high-value users, even though most of their customers will never face such targeted threats. Krstić emphasized that efforts to weaken security for one group would put everyone at risk. Protecting the most vulnerable helps improve security for all.

In the end, Apple’s increased investments in bug bounties and security features show how serious they are about staying ahead of attackers. As threats evolve, so does Apple’s approach, aiming to make their platforms safer for everyone.

Inspired by

• https://www.computerworld.com/article/4070863/apple-doubles-security-bounty-at-hexagon-2025.html

Sources

• gmpg.org
• apple.com
• hexacon.fr
• apple.com
• applemust.com