The iPhone maker’s head of security has announced a dramatic increase in the rewards available under its bug bounty scheme
Apple’s head of Security Engineering and Architecture (SEAR), Ivan Krstić, used his address at the Offensive Security event Hexacon 2025 to announce the substantial change, a clear signal of the company’s ramped-up defence strategy against highly targeted cyberattacks.
The bounty scheme, designed to encourage security researchers to report flaws directly to Apple rather than selling them on the lucrative gray market, will now offer a top award of USD 2 million. This sum is reserved for exploit chains that can achieve similar goals to sophisticated mercenary spyware attacks. Critically, this bonus can be combined with other security bounties, potentially pushing a single researcher’s total award up to an unprecedented USD 5 million.
The tech giant is betting that rewards of this magnitude will divert the skills of top-tier platform security experts away from “dodgy surveillance-as-a-service firms,” which have become key players in the global cyber-espionage landscape.
From November, the company will also be significantly increasing rewards across many other categories to encourage more intensive, focused research. These new awards include a USD 100,000 reward for a complete bypass of the macOS Gatekeeper security feature, and $1 million for broad unauthorized iCloud access. Apple noted that no successful exploit has yet been demonstrated in either of these two high-value categories. New bonuses have also been introduced for WebKit sandbox escapes and wireless proximity exploits.
Battle against state surveillance
Apple first began paying for vulnerability information relatively recently in 2019, coinciding with a shift in the threat environment as governments and government-adjacent ‘security’ firms began executing serious and targeted attacks against the company’s customers.
This escalating arms race saw Apple respond in 2022 by introducing Lockdown Mode, a high-security system designed to deliver stronger protection for potentially vulnerable targets, such as journalists, activists, and dissidents. The company simultaneously committed USD 10 million to support organizations that investigate, expose, and prevent these highly targeted cyberattacks.
The continued necessity of these investments is clear. Numerous instances of state-sponsored attacks have emerged since then, particularly from mercenary spyware providers.
While attempting to secure its platforms and its customers globally, Apple must also grapple with the legislative efforts of authoritarian and, critics argue, irresponsible governments. Decisions made in national capitals inevitably risk weakening platform security for millions. The UK’s attempt to carve a back door into encrypted iCloud data is a prime example of this pressure, demonstrating why Apple will need to invest even more than it already does in security to protect these newly weakened flanks.
