Apple announced at Hexacon 2025, the top global offensive security conference, that it will double its highest security bounty to $2 million. This makes Cupertino the most generous company that offers an award for unearthing vulnerabilities, and it’s even offering top-up bonuses that can see security experts earning more than $5 million for uncovering exploits. According to Apple’s Security Research blog, it has already awarded over $35 million to more than 800 security researchers since 2020, bringing the average award to $43,750. It even claimed that multiple individuals have received $500,000 in rewards.
The top $2-million award is reserved for those who discover sophisticated exploit chains similar to what mercenary spyware attacks exploit. Beyond that, there’s also a bonus system for those who can break Apple’s Lockdown Mode secure environment and vulnerabilities in its beta software, bringing the potential payout to over $5 million. There are also smaller awards, like $1 million for those who can crack broad iCloud security and those who can create a wireless proximity attack using radio, up to $300,000 to anyone who develops a one-click WebKit sandbox escape mechanism, and $100,000 to those who can bypass Gatekeeper on macOS.
This isn’t the only bug bounty program anyone can participate in. AMD announced its own program last year, with a payout of up to $30,000, while Intel offers a maximum of $100,000. Microsoft’s maximum award at the moment is $250,000, and it has even lowered its age limit to 13 because of this high school junior who filed over 20 security vulnerability reports last summer. Meta launched a bug bounty program in 2011 and now offers a maximum bug bounty of $300,000 (with $25,000,000 awarded to date). And last, but not least, Google began its Vulnerability Reward Program (VRP) in 2010. The search giant’s rewards vary from a few hundred dollars to a million dollars for the most serious vulnerabilities on its Titan M security chip. The company paid $11.8 million in 2024 to 660 researchers, bringing the average award to $17,800 per head.
These awards can make finding bugs a lucrative field, especially for talented security researchers. And while it might seem like an expensive proposition for companies, it’s far cheaper for them to pay out these bounties instead of having a bad actor discover it and disseminate it under their noses, resulting in reputational and financial damages for the corporation. Moreover, software mistakes can potentially cost lives, as state actors and other third parties are increasingly using sophisticated means to target specific personalities.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
