Apple's Bug Bounty Program Pays Up to $2M, But Only $1k for Critical Vulnerability

Apple's bug bounty program offers up to $2M for critical vulnerabilities, but a researcher who reported a Safari vulnerability graded as Critical received only $1,000. The low payout may discourage researchers from reporting vulnerabilities, instead selling them on the black market for potentially higher sums.

Apple's bug bounty program, designed to reward security researchers for discovering vulnerabilities, has recently been under scrutiny following a low payout for a critical vulnerability. A researcher, known as RenwaX23, reported a Universal Cross-Site Scripting (UXSS) vulnerability in Safari, which was graded as Critical with a score of 9.8 on a scale of 10. The vulnerability, recorded as CVE-2025-30466, allowed an attacker to impersonate a user and access their data, including iCloud and the iOS Camera app [1].

Despite the severity of the vulnerability, RenwaX23 received a payout of just $1,000. This discrepancy has sparked debate among security researchers and users alike. Some argue that Apple's criteria for determining the severity of vulnerabilities and subsequent payouts may not be sufficiently aligned with the actual impact of the discovered issues. Factors such as the ease of exploitation and the amount of user interaction required to trigger the vulnerability can significantly influence the payout [1].

The low payout could potentially discourage researchers from reporting vulnerabilities to Apple, leading them to sell their findings on the black market for higher sums. This could result in a loss of valuable security insights for Apple and increased risk for its users. As Apple continues to release updates, such as the recent macOS Sequoia 15.6 update, it remains crucial to ensure that the bug bounty program adequately compensates researchers for their efforts [1].

In contrast, the crypto industry has been emphasizing the importance of well-compensated bug bounty programs to bolster platform security. With the increasing prevalence of cryptocurrency, platform security has become a critical issue, as seen in recent high-profile hacks that resulted in losses exceeding $270 million [2]. Crypto platforms are integrating automation, intelligence, and stringent Know Your Customer (KYC) protocols to mitigate risks and encourage ethical hacking.

As Apple and other tech giants continue to develop and update their software, it is essential to strike a balance between rewarding researchers for their contributions and ensuring that the payouts are commensurate with the severity and impact of the vulnerabilities they discover. This balance will not only enhance the security of the products but also foster a more collaborative and transparent relationship between the tech industry and the security research community.

References:
[1] https://www.macworld.com/article/2863434/bounty-hunter-got-1000-from-apple.html
[2] https://www.business-standard.com/technology/tech-news/platform-security-assumes-criticality-in-the-face-of-crypto-hacks-125073001170_1.html