Apple now offers $2 million for zero-click RCE vulnerabilities

Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. Since the program launched in 2020, Apple has awarded $35 million to 800 security researchers, the company paying $500,000 for some of the submitted reports. The highest reward has been doubled to $2 million, for reporting vulnerabilities that can lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts can go as high as $5 million through the bonus system. “This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of - and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million,” said Apple. Other payouts increased or introduced under the new program scheme include: One-click (user interaction) remote attack - $1,000,000 Wireless proximity attack - $1,000,000 Broad unauthorized iCloud access - $1,000,000 WebKit exploit chain leading to unsigned arbitrary code execution - $1,000,000 Attack on locked device with physical access - $500,000 App sandbox escape - $500,000 One-click WebKit sandbox escape - $300,000 macOS Gatekeeper complete bypass with no user interaction - $100,000 $1,000 “encouragement award” for low-impact but valid reports Apple comments that it has never received a report demonstrating a complete Gatekeeper bypass with no user interaction or broad unauthorized iCloud access, so these two are high-challenge points for bug bounty hunters. Additionally, Apple said that it has “never observed a real-world, zero-click attack executed purely through wireless proximity,” referring to the $1M ‘Wireless Proximity’ award, upped from $250,000 previously. This category is also being expanded, now including Apple-developed chips such as the C1 and C1X modems and the N1 wireless chip. For 2026, Apple plans to distribute a thousand secured iPhone 17 devices to members of civil society organizations at higher risk of being targeted by mercenary spyware. The same devices will power Apple’s Security Research Device Program next year, which security researchers can apply for by October 31. The tech giant expects that the increased awards will have an additional impact on the development of sophisticated attack chains from spyware vendors, as researchers will be more incentivized to find and report security issues. To protect its users from sophisticated spyware attacks, Apple implemented in iOS advanced protection measures like Lockdown Mode and Memory Integrity Enforcement, which make developing and carrying out stealthy spyware attacks more expensive.