Overview

• New payouts start in November 2025, with $2 million for a zero-click remote compromise and a theoretical maximum of $5 million via Lockdown Mode and beta-software bonuses.
• Rewards across key categories rise sharply, including up to $1 million for one-click remote exploits, up to $1 million for wireless proximity attacks, $500,000 for physical-access attacks, and up to $300,000 for WebKit chains that escape the sandbox or $1 million if escalated to unsigned code with arbitrary entitlements.
• 'Target Flags' let researchers capture verifiable capability levels tied to specific payout tiers, triggering immediate award notifications upon Apple’s validation across iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.
• Apple frames mercenary spyware as the primary real-world threat motivating the richer incentives to attract top-tier offensive-security talent.
• Since 2020 the public program has paid more than $35 million to over 800 researchers, alongside complementary defenses such as Memory Integrity Enforcement in iPhone 17 and a pledge to donate 1,000 iPhone 17s to rights groups.