Apple doubles security bounty at Hexagon 2025

If you know your way around platform security, you don’t need to sell your discoveries to dodgy surveillance-as-a-service firms — Apple will make you a millionaire. During his speech at Offensive Security event Hexacon 2025, Ivan Krstić, Apple’s head of Security Engineering and Architecture (SEAR), announced a big increase in the top award available under the Apple Security Bounty scheme.

Make millions, do the right thing

The bounty now maxes out at $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. That bonus also stacks with other security bounties Apple provides, meaning researchers can make up to $5 million when they identify a new series of exploits.

From November, Apple is also doubling or significantly increasing rewards in many other categories to encourage more intensive research. These new awards include $100,000 for a complete Gatekeeper bypass and $1 million for broad unauthorized iCloud access — though Apple does say no successful exploit has been demonstrated to date in either of these categories.

Apple has also introduced bonuses for WebKit sandbox escapes and wireless proximity exploits.

Why does Apple pay so much?

Apple began paying for information of this kind relatively recently in 2019. It was about then that the nature of these attacks began to change as governments and government-adjacent ‘security’ firms began to make serious attacks against the company’s customers. 

Later on, in 2022, the company announced Lockdown Mode, its high-security system that helps deliver even stronger protection for potentially vulnerable targets. It also released $10 million to help support organizations that investigate, expose, and prevent highly targeted cyberattacks. These efforts continue.

They must. We’ve seen numerous instances of such attacks since then, particularly but not exclusively on the part of mercenary spyware firms. Apple, in turn, continues to ramp up security protection across all its products and services. 

While attempting to secure its platforms and its customers, Apple must also grapple with authoritarian, irresponsible governments, which make decisions that inevitably weaken security. The UK’s attempt to carve a back door into encrypted iCloud data is just one example. It is obvious that Apple will need to invest even more than it already does in security in order to protect these now weakened flanks. 

You, them, and MIE

Krstić also discussed Memory Integrity Enforcement (MIE), a new security protection Apple announced alongside the iPhone 17. Five years in development, this defense aims to protect against the most frequently exploited kinds of iOS bugs, memory safety vulnerabilities, which are often used in the sophisticated surveillance-as-a-service attacks so popular among some of the world’s most repressive regimes. 

“The only system-level iOS attacks we observe in the wild come from mercenary spyware — extremely sophisticated exploit chains, historically associated with state actors, that cost millions of dollars to develop and are used against a very small number of targeted individuals,” the company said.

These are the attacks wielded against activists, journalists, and politicians. (Apple is donating 1,000 iPhone 17s to rights groups that work with people at risk of targeted attacks, according to Wired.)

Combined protections such as MIE, Lockdown Mode, and the other security shields that exist on Apple’s platforms make these sophisticated attacks much more expensive to develop and use, but Apple knows the security struggle continues, which is why it has increased the security bounties it provides.

A ‘moral obligation’

Speaking to Wired, Kristić explained why Apple puts so many resources into protecting these high-value target groups: “We feel a great moral obligation to defend those users. Despite the fact that the vast majority of our users will never be targeted by anything like this, this work that we did will end up increasing protection for everyone.”

He’s right, of course, because the inconvenient truth of living on a digitally connected planet is that no one is safe until all are safe. That means any attempt to weaken security for one group of people will inevitably reduce the security of all groups of people.

Follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.