Apple Doubles Bug Bounties to Outbid Spyware Markets

Apple's Security Bounty program just got a major upgrade, with payouts now reaching up to $2 million for finding zero-click exploit chains that mimic mercenary spyware attacks. Announced at the Hexacon conference in Paris on October 9, 2025, this move doubles the previous top reward and positions Apple as a leader in incentivizing ethical hacking. The program's overhaul reflects a broader fight against sophisticated surveillance tools, like those peddled by NSO Group, which target vulnerable users with alarming precision.

The stakes are high. With over 2.35 billion active devices, Apple's ecosystem is a prime target for state-sponsored actors and exploit brokers. By offering hefty rewards, the company aims to keep security researchers focused on responsible disclosure rather than selling vulnerabilities to gray markets, where zero-day exploits can fetch millions. Since opening the program to the public in 2020, Apple has paid over $35 million to more than 800 researchers, proving its commitment to crowdsourced security.

Zero-click exploits are the holy grail of cyberattacks. They require no user interaction, slipping through defenses via a malicious iMessage or sneaky attachment. The BLASTPASS exploit, uncovered by Citizen Lab in September 2023, targeted an iPhone user at a Washington DC-based civil society group through a PassKit attachment. Apple patched it quickly, issuing fixes for two critical vulnerabilities. Lockdown Mode, a feature for high-risk users, blocked the attack entirely, showing why Apple's now offering $2 million for similar discoveries.

Contrast this with the FORCEDENTRY exploit from 2021, which exploited iOS 14's image processing flaws to bypass security via fake PDFs disguised as GIFs. These cases reveal a pattern: messaging apps remain a weak link, and Apple's bounty program now prioritizes these threats. By rewarding researchers for chaining vulnerabilities across security boundaries, the company ensures its defenses evolve faster than the tactics of spyware vendors.

Apple's increased bounties aren't just about generosity; they're a calculated move to compete with zero-day brokers like Zerodium, who've offered up to $2.5 million for Android exploits and $2 million for iOS chains. In August 2025, a new startup even dangled $20 million for full smartphone compromises. These gray markets thrive by paying researchers quickly, with fewer restrictions than corporate programs. Apple counters this with a new Target Flags system, letting researchers prove exploitability and get paid faster, even before patches roll out.

The strategy seems to be working. Higher rewards for one-click exploits (up to $1 million) and physical access attacks (up to $500,000) show Apple's listening to researchers who've long criticized slow payments and unclear reward criteria. Still, some researchers remain skeptical, citing past frustrations with Apple's communication. The company's challenge is to rebuild trust while making ethical disclosure as lucrative as the black market.

Apple's not just throwing money at the problem. The iPhone 17's Memory Integrity Enforcement locks down memory access with hardware-level protections, making exploits harder to craft. This feature, paired with Lockdown Mode's enhanced safeguards across messaging, web browsing, and connectivity, raises the bar for attackers. Apple's also distributing 1,000 iPhone 17 devices to civil society groups, protecting activists and journalists who face targeted spyware attacks.

These advancements come with trade-offs. Developing working exploits for modern iOS systems can take months, discouraging some researchers even with bigger payouts. The Target Flags system, while innovative, demands new reporting methods that might trip up veterans. Yet, Apple's focus on real-world threats, like zero-click chains, ensures users get patches faster, especially for beta software vulnerabilities that could earn researchers over $5 million in total payouts.

The BLASTPASS and FORCEDENTRY cases teach us that no system is bulletproof, but proactive measures can blunt the worst threats. Apple's swift response to BLASTPASS, coupled with Lockdown Mode's success, shows how targeted security features protect high-risk users. FORCEDENTRY, however, exposed gaps in earlier iOS versions, underscoring the need for constant vigilance and researcher input.

Apple's program sets a high bar, but it's not perfect. Critics argue the rewards still lag behind the effort required to crack modern iOS defenses. Meanwhile, the mercenary spyware industry, valued in billions, keeps evolving. By aligning bounties with real-world attack vectors and investing in hardware like the iPhone 17, Apple's making a bold play to stay ahead. The question is whether these efforts can outpace the ingenuity of adversaries and keep researchers on the right side of the fight.