Apple Doubles Top Bounty: Up to $2 Million for Zero-Click Exploit Chains

Apple has expanded its Security Bounty Program, raising the maximum reward for complex exploit chains to $2 million. The new top payout underscores Apple’s focus on defending users against mercenary spyware and advanced threat actors.

According to HelpNetSecurity (Zeljka Zorz, October 10, 2025), researchers who uncover zero-click exploit chains—those that compromise devices without any user action—can now earn up to $2 million. Bonus rewards apply for exploits that bypass Lockdown Mode or affect beta software, bringing total payouts to more than $5 million.

Apple noted that these updates will take effect in November 2025, along with clearer submission categories and target guidelines. Since its public launch in 2020, Apple has paid out over $35 million to more than 800 security researchers.(Sources: HelpNetSecurity, SecurityWeek, Apple Security Bounty Blog)

What’s New in Apple’s Bounty Program

Before this expansion, Apple’s highest bounty—$1 million—covered zero-click kernel exploits that achieved code execution with persistence. Other categories offered between $100,000 and $500,000.

New highlights include:

• $2 million for confirmed zero-click exploit chains.

• 50 percent bonus for vulnerabilities in public or developer betas.

• Double rewards for Lockdown Mode bypasses.

This is Apple’s largest single-tier increase and a clear sign of its intent to compete with black-market payouts for similar exploits.

Why Apple Is Raising the Stakes

Apple says the new structure responds to the growing use of zero-click exploits by private spyware vendors. These attacks require no interaction, allowing remote compromise through iMessage, Safari, or FaceTime.

By offering record-high rewards, Apple aims to incentivize ethical disclosure and reduce the appeal of selling vulnerabilities to brokers. Ivan Krstić, Head of Security Engineering and Architecture, stated that these updates reinforce Apple’s mission to protect the two billion devices in its ecosystem.(Sources: Wired, SecurityWeek)

OSRS Perspective: Rewarding Ethical Discovery

At ÒGÚN Security Research and Strategic Consulting (OSRS), we welcome Apple’s expanded bounty program as a positive shift for the global security community. High-value rewards encourage ethical hackers to report flaws responsibly and strengthen public trust in technology.

Through our OSRS Vulnerability Research and Disclosure Program, we help cybersecurity professionals:

• Report vulnerabilities responsibly to vendors like Apple, Google, and Microsoft.

• Understand exploit-chain mechanics and risk modeling.

• Balance security research with legal and ethical responsibilities.

This change by Apple sets a strong precedent: the fight against advanced cyber threats depends on transparency, incentives, and collaboration.

About the Author:

Dr. Sunday Oludare Ogunlana is a cybersecurity and AI governance expert and the founder of ÒGÚN Security Research and Strategic Consulting LLC (OSRS), specializing in digital forensics, incident response, and cyber risk intelligence.