Apple Reduces Security Bounties Amid Rising Mac Malware Threats
In a surprising move, Apple has significantly reduced the financial rewards offered to security researchers for identifying vulnerabilities in macOS. This decision comes at a time when Mac malware incidents are on the rise, raising concerns about the company’s commitment to user security and privacy.
Reduction in Security Bounties
Csaba Fitzl, a principal macOS security researcher at Iru, recently highlighted these changes on LinkedIn. He noted that the bounty for discovering a full Transparency, Consent, and Control (TCC) bypass has been slashed from $30,500 to just $5,000. Similarly, individual TCC category vulnerabilities now fetch only $1,000, down from the previous range of $5,000 to $10,000. Sandbox escape vulnerabilities have also seen a reduction, with rewards decreasing from $10,000 to $5,000.
Fitzl expressed his concerns, stating, It feels like Apple admits they can’t fix this and don’t care anymore, or at least aren’t willing to pay for it. This is especially troubling given Apple’s emphasis on privacy.
Understanding TCC and Its Importance
The Transparency, Consent, and Control (TCC) framework is a critical component of macOS, designed to ensure that applications can only access sensitive user data with explicit permission. This includes access to files, folders, contacts, calendars, health data, and hardware components like the webcam and microphone.
Historically, security researchers have identified significant TCC vulnerabilities. For instance, some exploits allowed attackers to modify the consent database, tricking macOS into believing that users had granted permissions they hadn’t. Others enabled rogue applications to leverage permissions granted to legitimate apps, effectively bypassing user consent mechanisms.
Implications of Reduced Bounties
The reduction in bounty rewards is particularly concerning given the increasing prevalence of Mac malware. A report from Jamf highlighted a 28% spike in infostealer malware among Mac users, making it the leading Mac malware family. This surge underscores the growing threats faced by Mac users and the critical need for robust security measures.
Fitzl warns that with diminished incentives, fewer researchers may focus on macOS vulnerabilities. This could lead to discovered exploits being sold on the black market rather than reported to Apple, potentially exposing users to greater risks.
Apple’s Evolving Security Bounty Program
Apple’s security bounty program has undergone several changes since its inception. Introduced in 2016 with maximum payouts of $200,000, the program expanded in 2019 to include macOS and increased top rewards to $1 million. In October 2025, Apple announced a major evolution of the program, doubling the top award to $2 million for exploit chains comparable to sophisticated mercenary spyware attacks. However, the recent reductions in specific categories, especially those related to macOS, seem to contradict this trend.
The Growing Mac Malware Landscape
The macOS platform has traditionally been perceived as more secure than other operating systems. However, this perception is changing. The same Jamf report indicated that 32% of organizations operate at least one device with critical vulnerabilities. Additionally, over 90% of cyber attacks originate from phishing, with one in ten users clicking on malicious links.
Furthermore, security researchers have demonstrated that Mac malware can bypass Apple’s Background Task Manager, a tool introduced to detect persistent malware. This highlights the evolving sophistication of threats targeting macOS.
The Role of Security Researchers
Security researchers play a pivotal role in identifying and reporting vulnerabilities, allowing companies like Apple to patch them before malicious actors can exploit them. By reducing the financial incentives for these researchers, Apple risks diminishing the pool of experts dedicated to securing its platforms.
Fitzl’s concerns are echoed by others in the cybersecurity community. The fear is that without adequate compensation, researchers might choose to sell their findings to third parties, potentially leading to unpatched vulnerabilities being exploited in the wild.
Apple’s Response and Future Outlook
As of now, Apple has not publicly commented on the reductions in its security bounty program. The company has historically emphasized its commitment to user privacy and security, making these recent changes puzzling to many observers.
Moving forward, it remains to be seen how Apple will balance its security initiatives with the need to incentivize external researchers. Given the increasing threats targeting macOS, a collaborative approach with the security research community is more crucial than ever.
Conclusion
Apple’s decision to reduce security bounties for macOS vulnerabilities has raised significant concerns within the cybersecurity community. At a time when Mac malware is on the rise, diminishing incentives for researchers could have unintended consequences, potentially exposing users to greater risks. It is imperative for Apple to reassess its approach and ensure that its commitment to user security and privacy remains unwavering.
