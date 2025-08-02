Apple promotes its Security Bounty program as one of the most generous in the tech world, offering up to $2 million for high-risk vulnerabilities. But recent events raise questions about how the company determines payouts. A researcher who reported a serious flaw in Safari received only $1,000, even though Apple labeled the bug as “Critical” and gave it a severity score of 9.8 out of 10.

A Serious Vulnerability, A Surprisingly Low Reward

The researcher, who goes by RenwaX23 on X, found a Universal Cross-Site Scripting (UXSS) vulnerability in Safari. This type of flaw allows attackers to impersonate users and gain access to private data. In this case, the exploit opened a path to iCloud accounts and even the iOS Camera app.

Apple acknowledged the vulnerability, recorded it as CVE-2025-30466, and patched it in Safari 18.4, which was released with iOS/iPadOS 18.4 and macOS 15.4 back in March. Despite the severity and potential impact, Apple paid RenwaX23 only $1,000.

Apple Cites Interaction Requirement, But Researchers Disagree

According to Apple’s bounty guidelines, payout amounts depend on several factors: the level of user interaction required, number of users affected, depth of access, and the quality of the submitted report. In this case, Apple may have reduced the payout because the exploit required user action to work.

Still, security researchers argue that Apple applies these criteria inconsistently. In response to RenwaX23’s post, another researcher, Taiko_soup, shared that Apple offered only $5,000 for a vulnerability that should have qualified for $50,000 under the company’s own framework.

Macworld first reported on RenwaX23’s experience. The outlet highlighted growing frustration within the security research community over Apple’s inconsistent and, at times, minimal payouts.

Apple’s Reputation with Security Researchers at Risk

The issue isn’t just about money. It’s about the value Apple places on the work of researchers who help keep its ecosystem safe. These experts spend countless hours analyzing code, simulating attacks, and documenting bugs. When a company of Apple’s size offers $1,000 for a critical vulnerability, it undermines that work.

Apple says it values collaboration with the security community and regularly publishes updates on fixed vulnerabilities. But if it wants to maintain goodwill, it needs to back that up with payouts that match the risks researchers help mitigate.