It looks like Apple is willing to pay big bucks to find bugs by crowd sourcing and paying customers to do their job for them. If you find a serious enough flaw in iOS or Safari’s Lockdown Mode, Apple might drop up to $5 million your way.
Apple significantly expanded its bug bounty program, now offering $2 million to $5 million to anyone who can identify and report critical security vulnerabilities in its iOS ecosystem. This move is part of the company’s continued effort to stay ahead of increasingly sophisticated cyber threats, especially those targeting iPhones and iPads.
Apple says those “mercenary spyware” attacks are the only real iPhone hacks it’s ever seen in the wild, and it wants to stop them for good.
READ: OpenAI buys iPhone designer John Ive’s startup io (
Originally launched in 2016, Apple’s bug bounty initiative was initially invite-only, but it was later opened to all security researchers. The most recent update in October reflects Apple’s commitment to making its devices more secure by encouraging ethical hackers and security professionals to uncover flaws before malicious actors can exploit them.
Apple’s head of security, Ivan Krstić, says the company’s already paid $35 million to over 800 researchers who’ve helped make its devices safer.
The maximum $2 million payout applies to the most severe and technically complex bugs—particularly those involving zero-click, zero-day exploits that don’t require user interaction and can bypass security protections like Lockdown Mode. In addition to base rewards, Apple offers bonus payments for vulnerabilities found in beta versions of iOS or bugs that expose critical user data.
In some cases, the total payout can exceed $5 million, especially when a full exploit chain is demonstrated or if the issue involves spyware-level intrusion tactics. These high rewards put Apple’s bug bounty program among the most lucrative in the tech industry.
However, the company has set strict rules: researchers must follow responsible disclosure guidelines, provide clear proof of concept, and avoid harming users or violating privacy laws during testing. All submissions are reviewed by Apple’s security team.
By dramatically increasing the stakes, Apple hopes to draw attention from the world’s top security minds and stay ahead of nation-state-level cyber threats. The expanded program sends a clear message: finding, and reporting, iOS bugs the right way can be both ethical and extremely rewarding.
By offering payouts of up to $5 million, Apple is not just defending its products — it’s investing in a global network of ethical hackers to proactively identify threats before they can be exploited.
This crowdsourced approach allows Apple to tap into some of the brightest minds in cybersecurity, reinforcing its reputation for privacy and device protection. While the high rewards may grab headlines, the real value lies in strengthening the safety of millions of users worldwide. The program also highlights the growing importance of responsible disclosure and the ethical role of security research in the modern tech ecosystem.
As cyber threats become more advanced and targeted, especially from spyware and state-sponsored actors, Apple’s initiative sets a high standard for collaborative defense and responsible innovation across the industry.