Security Researcher Criticizes Apple’s Reduced macOS Bug Bounty Rewards
In October 2025, Apple announced significant increases to its Security Bounty program, elevating maximum payouts for high-profile exploits to as much as $2 million. However, this enhancement has been met with criticism from the security research community, particularly concerning the reduced rewards for macOS vulnerabilities.
Csaba Fitzl, a macOS security researcher at IRU, expressed his dissatisfaction on LinkedIn, stating that Apple’s adjustments have devalued macOS. He highlighted that the reward for full Transparency, Consent, and Control (TCC) bypasses has been slashed from $30,500 to $5,000. Additionally, payouts for other TCC categories have been diminished from a range of $5,000 to $10,000 down to a mere $1,000.
TCC is a macOS feature designed to regulate app access to users’ personal data, ensuring that only authorized applications can retrieve sensitive information. A TCC bypass indicates a vulnerability where an attacker can circumvent these protections, accessing data without the user’s consent.
Under the revised program, as of December 2, 2025, Apple offers $1,000 for scenarios where an individual with physical access to a locked device can retrieve certain sensitive user data. For instance, exploiting a logic flaw on the Lock Screen to view the most recently edited note falls into this category. Other modest rewards include up to $10,000 for web content code execution, with reductions to $5,000 for arbitrary read-write mechanics, and as low as $2 for arbitrary register control.
Specific to macOS, bypassing Gatekeeper with limited user interaction can earn up to $10,000. Capturing a TCC target flag with an unsandboxed app garners $5,000, while achieving the same with a sandboxed app can yield up to $10,000. Accessing sensitive data protected by TCC without the target flag is valued at $1,000, and a sandbox escape exclusive to macOS can fetch up to $5,000.
Fitzl interprets these reduced bounties as an indication that Apple is diminishing its focus on the Mac platform. He suggests that the company might be acknowledging its inability to address all vulnerabilities or is simply unwilling to invest in resolving them. Fitzl also points out that the pool of researchers dedicated to uncovering macOS vulnerabilities is already limited, and these decreased rewards could further deter experts from focusing on macOS. This shift might lead researchers to concentrate on other platforms or, more concerningly, to sell their discoveries to third-party entities for higher sums.
While macOS-specific rewards have seen reductions, Apple has substantially increased bounties in other areas. In its October announcement, the company raised the reward for zero-click remote attacks without user interaction from $1 million to $2 million. Single-click attacks can now earn up to $1 million, up from $250,000. Wireless proximity attacks saw an increase from $250,000 to $1 million, and attacks on locked devices with physical access rose from $250,000 to $500,000. Additionally, Apple introduced a $100,000 award for researchers who report a full macOS Gatekeeper bypass without user interaction.
Apple’s prioritization of higher rewards for iOS-related vulnerabilities can be attributed to the vast number of iPhone users and the significant revenue generated from iPhone sales. Remote attacks without user intervention are particularly concerning due to their potential widespread impact across various Apple products. While Apple has the capacity to offer higher bounties for macOS vulnerabilities, the company appears to be allocating its resources toward areas with the most substantial user base and potential risk.
This strategic focus underscores the importance of iOS security in Apple’s ecosystem. However, the reduced emphasis on macOS vulnerabilities raises questions about the company’s commitment to securing its desktop operating system. As the landscape of cybersecurity threats continues to evolve, it remains to be seen how Apple will balance its security investments across its diverse range of products.
