Apple Raises Bug Bounty to $2 Million as Spyware Threats Grow

By Staff Writer | October 12, 2025

Apple announced a significant boost to its vulnerability-reward program on Friday, increasing the top payout for the most dangerous iPhone exploit chains to $2 million — and flagging additional bonuses that could raise the total to as much as $5 million, company officials told WIRED.

The move, revealed at the Hexacon offensive security conference in Paris by Apple vice president of security engineering and architecture Ivan Krstić, is the company’s latest public effort to counter an expanding market for commercial spyware and sophisticated civilian-grade hacking tools. Apple first launched its bug bounty nearly a decade ago and has periodically increased the maximum reward as the stakes for mobile security have risen: a $200,000 top prize in 2016 and a $1 million ceiling introduced in 2019.

A response to an evolving threat landscape

Krstić framed the payout increase as necessary given the sophistication of current attack chains and the growing number of actors willing to buy and weaponize zero-day vulnerabilities. While Apple’s prior bounty levels acknowledged individual flaws, the company says new rewards reflect the realities of chaining multiple bugs together — an approach used to convert a single bug into a remote, persistent spyware capability.

“Exploit chains that allow attackers to install spyware without user interaction are the most consequential threats to our users,” Krstić told WIRED. The newly advertised $2 million base payout targets precisely these chains: complex, multi-stage sequences of vulnerabilities that together enable full device compromise.

Apple is also offering discretionary bonuses on top of the base payout for exploit reports that meet certain criteria — such as being zero-click, persistent, or used in the wild by mercenary spyware vendors. Those add-ons, Krstić said, are intended to match the market value of highly prized exploits and could push a single reward to $5 million when all qualifying bonuses are applied.

Money as prevention — and a market signal

The elevated reward structure is a strategic bet: Apple is attempting to persuade security researchers and independent exploit brokers that selling to the company is more lucrative and ethically preferable to feeding a clandestine spyware market. In doing so, Apple acknowledges an uncomfortable truth for device makers and users alike — that powerful offensive capabilities can be monetized by third parties, fueling a shadow ecosystem with real-world harms.

Security industry observers say higher bounties can help, but they are not a panacea. “Higher bounties make it more attractive for good-faith researchers to disclose to vendors instead of black-market buyers,” said an independent security consultant. “But if the market price for a zero-click chain exceeds what vendors are willing to offer, some vulnerabilities will still leak.”

Apple’s approach of coupling a larger structural bounty with targeted bonuses signals that the company is trying to better match market realities. By explicitly rewarding zero-click, persistent, and in-the-wild discoveries more generously, Apple aims to reduce the financial incentives that drive exploit sales to mercenary spyware firms.

Transparency, legal complexities and the ethics of payment

Underscoring the program’s limits, Apple’s bounty model depends on researchers choosing to report rather than sell. The company has long emphasized responsible disclosure and tight legal frameworks — but paying large sums for device-compromising exploits also introduces practical and ethical questions. For instance, how does Apple verify whether a reported bug has previously been weaponized? How are payments structured for complex multi-party disclosures? And how will Apple avoid inadvertently incentivizing risky behavior, where disclosers may test exploit chains on live devices?

Krstić told WIRED that Apple has invested in triage and verification processes to vet submissions — a necessary step when multi-million-dollar payouts are at stake. Still, privacy advocates and policy analysts note that payouts alone won’t eliminate the commercial spyware market without broader international controls on spyware vendors and purchasers.

What it means for users and the security community

For iPhone users, the policy change is a positive signal: Apple is allocating capital to make the platform more expensive and difficult for attackers to compromise. For security researchers, the updated program places a clear premium on reporting high-risk, in-the-wild exploit chains to Apple rather than to third parties.

The announcement also opens a new chapter in how tech companies compete with commercial exploit buyers. In recent years, governments and private companies have become customers for the same kinds of capabilities, and the market value for a robust zero-click chain has ballooned. Apple’s $2 million-plus offering is intended not only as a reward but as a deterrent — to make the value of disclosure to Apple at least competitive with, if not superior to, other buyers.

The long view

Raising the stakes to $2 million, with a possible total of $5 million including bonuses, is an unmistakable sign that Apple sees the spyware threat as existential to user privacy on modern smartphones. The plan combines monetary incentives, improved vulnerability triage, and public messaging to shape researcher behavior and reduce the supply of exploitable zero-days on the market.

Whether the approach will curb the trade in offensive cyber capabilities remains to be seen. For now, Apple has publicly acknowledged that defending billions of devices may require paying sums once considered extraordinary — a recognition that the economics of security have changed, and that combating dedicated attackers will be as much about market dynamics as technical countermeasures.