Apple just rewrote the rules of its Security Bounty. You now see a top payout of 2 million dollars for complete exploit chains that mirror mercenary spyware. With bonuses for Lockdown Mode bypasses and bugs in beta software, total awards can cross 5 million dollars. The focus shifts from single bugs to end-to-end chains that reflect how real attacks work.

You also get a faster path to payment. Apple will pay confirmed awards in the next payment cycle once it validates evidence, instead of waiting for a public fix. That reduces months of uncertainty for researchers who land meaningful findings.

Target Flags and a higher bar for real-world impact

Apple is introducing Target Flags, a built-in way to prove exactly what you reached during exploitation, such as code execution or arbitrary read and write. When you submit a report with a captured flag, Apple can verify it and notify you of the award right away. The company says this makes results more objective and payouts more predictable.

The structure rewards attacks that begin remotely and chain across boundaries. Remote-entry vectors now earn more. Categories that do not track with in-the-wild activity earn less. You should expect the review to prioritize proof of impact on current hardware and software.

Key increases at a glance:

Attack vector Current Maximum New Maximum Zero-click chain: Remote attack with no user interaction $1,000,000 $2,000,000 One-click chain: Remote attack with one-click user interaction $250,000 $1,000,000 Wireless proximity attack: Requires physical proximity to device $250,000 $1,000,000 Physical device access: Requires physical access to locked device $250,000 $500,000 App sandbox escape: From app sandbox to SPTM bypass $150,000 $500,000

New categories

Apple expands the scope. One-click WebKit sandbox escapes now reach up to 300,000 dollars. Wireless proximity exploits over any radio can pay up to 1 million dollars. A full Gatekeeper bypass on macOS earns 100,000 dollars. The updated program takes effect in November 2025, and Apple will publish the full matrix of categories, rewards, and Target Flag instructions then.

You also see bonuses for findings in developer and public betas, and for components that defeat Lockdown Mode. If your report lands outside published categories but still matters to user safety, Apple adds a permanent 1,000-dollar award alongside CVE credit.

Research devices and civil society support

Apple plans a 2026 Security Research Device Program that includes iPhone 17 with Memory Integrity Enforcement. Researchers with a track record can apply, and findings from these devices get priority consideration. Apple will also provide 1,000 iPhone 17 units to civil society groups to place with at-risk users.

New to the program or returning, you get clearer criteria, higher ceilings, and quicker outcomes. The message is simple: deliver verifiable chains on current platforms, and you get paid faster and more.