Overview
- Apple announced at Hexacon in Paris that its Security Bounty will lift the maximum payout to $2 million, with the changes taking effect in November.
- The revamped framework prioritizes complete, demonstrable exploit chains across iOS, macOS, iPadOS, watchOS, tvOS and visionOS, targeting techniques tied to mercenary spyware and state actors.
- Rewards will range from $5,000 to $2,000,000 at Apple’s discretion based on impact, access achieved and the quality of the technical report.
- Top categories include up to $2 million for remote zero-click chains, up to $1 million for single-click WebKit sandbox escapes, proximity wireless exploits and broad iCloud access, and $100,000 for an interaction-free Gatekeeper bypass on macOS, with bonuses for Lockdown Mode and beta software.
- Researchers must submit detailed, reproducible reports through security.apple.com/bounty, where submissions can be tracked through review, fixes and recognition.