Apple has dramatically raised the stakes in the cybersecurity arena, announcing a record $2 million base payout — with total bonuses reaching $5 million — for researchers who uncover the world’s most dangerous iPhone exploits. The new ceiling, revealed by Ivan Krstić, Apple’s Vice President of Security Engineering, at the Hexacon Security Conference in Paris, reflects the company’s intent to outpace the booming mercenary spyware market.
The updated Apple Security Bounty, launching in November 2025, introduces new categories and incentives for finding complex exploit chains that can compromise iOS devices. Extra bonuses will reward discoveries that bypass Lockdown Mode, affect beta software, or exploit WebKit and wireless proximity vulnerabilities. Krstić told WIRED the company is “lining up to pay many millions of dollars” to ensure high-level researchers disclose their findings responsibly instead of selling them to private spyware firms.
The new structure marks Apple’s biggest expansion since the program went public in 2020. Since then, the company has paid $35 million to over 800 researchers, with multiple half-million-dollar payouts. The higher ceiling mirrors the skyrocketing value of zero-day exploits on the black market — some of which can sell for millions to surveillance companies. “Apple is effectively outbidding the gray market to buy trust and transparency,” said James Lewis, cybersecurity analyst at CSIS.
Among new features is “Target Flags,” a mechanism inspired by hacking contests that allows researchers to instantly demonstrate exploit success for faster verification and payment. Experts say the move could make Apple’s bounty one of the most lucrative — and technically demanding — programs in the industry.
Alongside the bounty expansion, Apple is hardening defenses across its ecosystem. The iPhone 17 lineup introduces Memory Integrity Enforcement (MIE), designed to block the most exploited bug classes in iOS. Apple also pledged to donate 1,000 iPhone 17s to human-rights groups aiding journalists and activists facing digital surveillance. “Even if most users will never be targeted, this work raises protection for everyone,” Krstić said.
Industry observers view these measures as part of Apple’s wider strategy to curb misuse of digital surveillance tools like Pegasus and strengthen trust in its platform. Dr. Lina Hossain of Oxford University called the new bounty “a pragmatic acknowledgment that financial incentives — not goodwill — are what drive responsible disclosure at the top tier.”
Apple’s move signals a shift toward greater collaboration with independent researchers. Insiders told The Middle East Observer that the company is exploring pre-disclosure partnerships with top security labs to accelerate fixes for critical vulnerabilities.
With more than 2.35 billion active devices worldwide, Apple remains both a prime target and a defensive benchmark. Its record-breaking $5 million bounty underscores a simple reality: in today’s cyber landscape, the race to secure billions of users hinges on rewarding — and respecting — those capable of breaking the system before the bad actors do.
