Apple is increasing the bounty it pays to security experts who successfully bypass iOS protections, with the top single payment now increased to $2 million.

The bug bounty program has routinely been criticized, and even called crippled, because of Apple's traditionally miserly approach. While the payouts are not the worst in the industry, the company has had a reputation for being reluctant to sign the checks.

Now Apple has announced that it is increasing its payouts, and offering what it calls "accelerated awards." Specifically, Apple says that as of November 2025, it is doubling its top single award to $2 million — and through a bonus system, that could grow to $5 million.

"We are lining up to pay many millions of dollars here, and there's a reason," Apple vice president of security engineering and architecture Ivan Krstic has told Wired.

"We want to make sure that for the hardest categories, the hardest problems, the things that most closely mirror the kinds of attacks that we see with mercenary spyware," he continued, "that the researchers who have those skills and abilities and put in that effort and time can get a tremendous reward."

A table showing security attack types with current and new maximum rewards for vulnerabilities; values range from $150K to $2M.

Apple's examples of how it has increased its security bounty — image credit: Apple

Apple's latest announcement outlines an expanded list of security categories. It also says that reports submitted using its new Target Flag system may get awards "even before a fix is available."

While the full list of security categories has yet to be revealed, Apple notes that it includes wireless proximity exploits, and one-click WebKit sandbox escapes.

Specifically to encourage new researchers, Apple says that it has been piloting a system of rewarding finds of lower-impact problems with $1,000. As of November 2025, that award will be a permanent tier in its updated system.

Apple's original security bounty program in 2016, was aimed at security experts who registered with Apple. This continues with the current 2025 registration remaining open until October 31.

However, the new system is specifically said to be an extension of the public Apple Security Bounty program, open to anyone who reports security issues. This public version was first launched in 2020, and since then, Apple claims to have paid out over $35 million to in excess of 800 security researchers.