Apple boosts top bug bounty to record $2m
Bakes “target flags” into operating systems
Apple is doubling its top bug bounty award to $2 million for hackers who can identify and report “exploit chains that achieve similar goals as sophisticated mercenary spyware attacks.”
That’s part of an expansion of the Apple security bounty programme, which increases the “in-scope” attack surface for security research, boosts rewards, and adds novel techniques.
Among them is the use of “target flags”; a way for researchers to demonstrate exploitability. Target flags are being baked into iOS, iPadOS, macOS, visionOS, watchOS, and tvOS — and cover a number of Apple Security Bounty areas, Apple said October 10.
The move aims to incentivise grey hat researchers to sell their exploits to Apple rather than to bad actors via zero day brokers.
The new Apple bug bounty programme awards are effective November 2025. The company said that it has paid out over $35 million to more than 800 security researchers since launching its bug bounty programme in 2020 – that’s over $7 million a year.
As with most bug bounty programmes, Apple has happy participants and no shortage of researchers grumbling over reports that get excluded from scope but fixed regardless, etc.
More broadly, the vulnerability disclosure landscape is increasingly challenging for security researchers, with many software firms including strict non-disclosure agreements and other legal constraints on public reporting on security bugs.
Writing in The Stack last month, Pentera’s Nir Chako noted that “increasingly I’m seeing vendors deploy disclosure programs not as pathways to transparency, but as tools for control. What was once a collaborative effort is becoming a one-sided agreement: ‘Give us your research. But you don’t get to talk about it.
He added: “The goal seems obvious, avoid headlines, avoid scrutiny, and quietly delay or deprioritize remediation” and asked aloud, based on a recent experience, that “if responsible disclosure prevents public awareness, is it still responsible?”