Example Payouts

Bounty payments are determined by the level of access or execution obtained by the reported issue, modified by the quality of the report. Issues that are unique to designated developer or public betas, including regressions, can result in a 50% additional bonus if the issues were previously unknown to Apple. All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories.

Unauthorized iCloud Account Access

$25,000. Limited unauthorized control of an iCloud account.

$100,000. Broad unauthorized control of an iCloud account.

Physical Access to Device: Lock Screen Bypass

$25,000. Access to a small amount of sensitive data from the lock screen (but not including a list of installed apps or the layout of the home screen).

$50,000. Partial access to sensitive data from the lock screen.

$100,000. Broad access to sensitive data from the lock screen.

Physical Access to Device: User Data Extraction

$100,000. Partial extraction of sensitive data from the locked device after first unlock.

$250,000. Broad extraction of sensitive data from the locked device after first unlock.

User-Installed App: Unauthorized Access to Sensitive Data

$25,000. App access to a small amount of sensitive data normally protected by a TCC prompt.

$50,000. Partial app access to sensitive data normally protected by a TCC prompt.

$100,000. Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox.

User-Installed App: Kernel Code Execution

$100,000. Kernel code execution reachable from an app.

$150,000. Kernel code execution reachable from an app, including PPL bypass or kernel PAC bypass.

User-Installed App: CPU Side-Channel Attack

$250,000. CPU side-channel attack allowing any sensitive data to be leaked from other processes or higher privilege levels.

Network Attack with User Interaction: One-Click Unauthorized Access to Sensitive Data

$75,000. One-click remote partial access to sensitive data.

$150,000. One-click remote broad access to sensitive data.

Network Attack with User Interaction: One-Click Kernel Code Execution

$150,000. One-click remote kernel code execution.

$250,000. One-click remote kernel code execution, including PPL bypass or kernel PAC bypass.

Network Attack without User Interaction: Zero-Click Radio to Kernel with Physical Proximity

$50,000. Zero-click code execution on a radio (e.g. baseband, Bluetooth or Wi-Fi) with only physical proximity, with no escalation to kernel.

$200,000. Zero-click partial access to sensitive data, with only physical proximity.

$250,000. Zero-click kernel code execution, with only physical proximity.

Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data

$100,000. Zero-click attack that can turn on and collect information from a sensor (e.g., camera, microphone, or GPS).

$250,000. Zero-click partial access to sensitive data, without physical proximity.

$500,000. Zero-click broad access to sensitive data.

Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass

$1,000,000. Zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.

Notes and Definitions

“One-click” refers to an exploit requiring user interaction to successfully gain access or execution. (For example, the user clicks a malicious link or opens a malicious file.)

“Zero-click” refers to an exploit requiring no user interaction to successfully gain access or execution. (For example, being on a network or in proximity is sufficient.)

“Sensitive data” access includes gaining a small amount (i.e., one or two items), partial access (i.e., some large number), or broad access (i.e., the full database) from Contacts, Mail, Messages, Notes, Photos, or real-time or historical precise location data — or similar user data — that would normally be prevented by the system.

The top payouts in each category are reserved for high quality reports and are meant to reflect significant effort, and as such are applicable to issues that impact all or most Apple platforms, or that circumvent the full set of latest technology mitigations available. Payouts vary based on available hardware and software mitigations that must be bypassed for successful exploitation.

There is a $5,000 minimum payout for all categories.

Terms and Conditions

Read the legal requirements for the Apple Security Bounty Program.

Learn more