Apple is stepping up its efforts to find and fix security flaws with a big increase in its bug bounty program. The company announced that it will now pay up to $2 million for discovering serious software exploits that could be used for spyware. When bonuses are included, the maximum payout can reach as high as $5 million. This change shows how much Apple values the security vulnerabilities that malicious actors might exploit, especially in its tightly protected mobile environment.

What’s New with Apple’s Bug Bounty Program

Apple’s bug bounty program started nearly ten years ago. Over time, the maximum payouts have grown from $200,000 in 2016 to $1 million in 2019. Now, the company is making an even bigger push to reward security researchers. The announcement was made at the Hexacon security conference in Paris by Ivan Krstić, Apple’s vice president of security engineering. He explained that the new payout reflects how critical some exploits are, especially those that can be turned into spyware.

The new payout structure is not just about individual rewards. Apple also offers bonuses for exploits that can bypass its extra-secure Lockdown Mode or are found during beta testing of new software. When all bonuses are combined, the highest possible reward for a chain of dangerous exploits can now reach $5 million. The new rules will start next month, giving researchers a bigger incentive to find vulnerabilities before bad actors do.

Why Apple Is Offering Such Big Rewards

Apple’s devices are used by more than 2.35 billion people worldwide. The bug bounty program was originally invite-only but opened to the public in 2020. Since then, Apple says it has paid out over $35 million to more than 800 security researchers. While huge payouts are rare, Krstić notes that Apple has awarded several $500,000 prizes in recent years.

The company is also expanding the types of exploits it will pay for. Now, researchers can report certain browser exploits, wireless vulnerabilities, and even participate in “Target Flags” challenges. These challenges are designed to test how well researchers can demonstrate their exploits in real-world scenarios quickly and clearly.

Beyond bug bounties, Apple invests heavily in other security measures. For example, the company recently introduced Memory Integrity Enforcement on the iPhone 17 to protect against common, highly targeted bugs. This feature aims to defend vulnerable groups like journalists and activists, who are often targeted by mercenary spyware. Apple also plans to donate a thousand iPhone 17s to organizations that support at-risk individuals facing digital threats.

Protecting the Most Targeted Users

Krstić emphasized that Apple’s efforts are driven by a moral obligation to protect those most at risk. Although most users will never face targeted digital attacks, Apple believes that strengthening security for the most vulnerable will ultimately benefit everyone. The company sees the bug bounty and other security investments as crucial parts of a broader strategy to reduce dangerous vulnerabilities and prevent exploitation.

All these steps show how serious Apple is about staying ahead of bad actors. By offering bigger rewards and expanding its security tools, the company aims to keep its devices safe and secure for all users. As threats evolve, Apple’s focus on proactive security measures continues to grow, highlighting the importance of collaboration between companies and security researchers worldwide.

Inspired by

• https://arstechnica.com/security/2025/10/apple-ups-the-reward-for-finding-major-exploits-to-2-million/

Sources

• wired.com
• conde.digital
• cnevids.com
• wired.com
• wired.com