Apple encourages security researchers to seek out and report vulnerabilities in its devices and apps, in return for which it pays bug bounties of up to $2M.
However, one security researcher who reported a Safari vulnerability Apple graded as Critical, and gave a severity score of 9.8 out of 10, says they were paid only $1,000 …
Apple upgraded its security bounty program back in 2022, and stated then that its average payout was $40,000 and that it had on twenty occasions paid a six-figure sum for “high-impact issues.” This included a total payout of $175k to a student who successfully hijacked both Mac and iPhone cameras.
However, Macworld reports that a researcher who found a critical security hole in Safari was paid only $1,000.
A researcher who goes by RenwaX23 on X posted about the bounty received for what seems to be a critical security hole. Found in Safari, the hole is a Universal Cross-Site Scripting (UXSS) vulnerability, a type where an attacker can impersonate a user and access their data. In this instance, RenwaX23 demonstrated that the hole can be used to access iCloud and the iOS Camera app.
The vulnerability was graded as Critical, with a score of 9.8 (on a scale of 10), so it wasn’t a small bug. Recorded as CVE-2025-30466, Apple fixed it in Safari 18.4, which was released with iOS/iPadOS 18.4 and macOS 15.4 update back in March. RenwaX23 received a fee for the bug discovery–a measly $1,000.
One possible explanation is that an attacker would need to trick a user into taking action before the exploit could be used. Apple does state that user interaction is one of the criteria used when determining bounty payouts.
However, another poster said that a vulnerability they discovered, which should have attracted a $50,000 payout according to Apple’s criteria, saw them receive only $5,000.
9to5Mac’s Take
It may be that Apple’s view of the real-life risk of exploitation was accurate, and that only a $1,000 payout was appropriate. However, there does seem a very large gap between Apple’s rating of the severity and the amount offered.
The danger of very low payouts is that it may encourage those discovering vulnerabilities to sell them on the blackmarket rather than reporting them to Apple. Payouts for critical vulnerabilities can run as high as $5M in the case of companies who want to exploit them to hack Apple devices.
Highlighted accessories
Photo by Josh Appel on Unsplash
FTC: We use income earning auto affiliate links. More.
