Apple doubles top Security Bounty to $2M — Up to $5M with bonuses

Apple updated its Security Bounty program in November, significantly raising rewards to encourage research into high-impact vulnerabilities. Key changes include:

• Top award doubled from $1,000,000 to $2,000,000 for zero-click exploit chains that can achieve remote compromise; total payouts can exceed $5,000,000 when including bonuses (e.g., Lockdown Mode bypasses or beta-software findings).
• One-click exploit chains: up to $1,000,000 (previously $250,000).
• Physical-proximity attacks: up to $1,000,000 (previously $250,000).
• Physical access to locked devices: maximum reward doubled to $500,000.
• Chaining WebContent code execution with a sandbox escape: up to $300,000.

Apple also highlighted new defenses like Lockdown Mode (Safari-focused hardened attack surface) and Memory Integrity Enforcement, designed to reduce memory corruption exploits. In its announcement Apple said the only system-level iOS attacks it has observed in the wild were from mercenary spyware—tools historically linked to state actors and targeted attacks.

Since expanding the program Apple has awarded over $35 million to more than 800 researchers. While top-dollar payouts are rare, multiple $500,000 awards have been made.

Sources and further reading:

• Apple Security Bounty — official program page: https://security.apple.com/bounty/
• SecurityWeek coverage of the November update: https://www.securityweek.com/apple-bug-bounty-update-top-payout-now-2-million-35-million-paid-to-date/

Thoughts? Will larger bounties meaningfully deter mercenary spyware, or just raise the stakes for both researchers and attackers? Share your perspective in the comments.