Apple just made finding iPhone exploits more lucrative than most people’s annual salaries. The company doubled its maximum bug bounty reward from $1 million to $2 million for zero-click vulnerabilities—attacks that compromise your device without any interaction from you. Stack the bonus multipliers, and researchers could pocket over $5 million for a single discovery. That’s not just raising the stakes; that’s declaring war on the black market exploit economy.
The New Bounty Breakdown
Your phone’s security vulnerabilities now carry price tags that would make lottery winners jealous. Proximity-based exploits requiring just one click can earn researchers up to $1 million, quadruple the previous ceiling. Physical device attacks max out at $500,000, while WebKit code execution chained with sandbox escapes nets $300,000. Even macOS Gatekeeper bypasses command $100,000—money previously reserved for Hollywood fantasies.
Follow the Money Trail
Since opening the program beyond invitation-only status in 2020, Apple has cut checks totaling $35 million across 800-plus security researchers. Multiple $500,000 payments have already been made, with the average payout hovering around $40,000. Apple VP Ivan Krstić told Wired in a recent interview that top-tier rewards remain “rare” but stressed their necessity as a counterweight to mercenary spyware developers who offer similar sums for weaponized exploits.
The Target Flags Revolution
Beyond the headline numbers, Apple’s rolling out Target Flags—objective markers embedded within operating systems that let researchers demonstrate exploit effectiveness without lengthy back-and-forth verification. Think achievement badges for vulnerability hunters. This streamlined approach means faster evaluation times and payments that can arrive even before public security patches, incentivizing responsible disclosure over underground sales.
This financial arms race isn’t just about protecting iPhones—it’s about redirecting elite hacking talent toward defending the devices in your pocket rather than compromising them. When your personal data becomes the battlefield, Apple’s betting that outbidding the bad guys makes everyone safer.
