This bounty hunter reported a critical bug to Apple. He only got $1,000

Macworld

Security researchers play a crucial role in software development, identifying and discovering vulnerabilities. It’s so important that Apple Security Research runs a Security Bounty Program that offers payouts to researchers for their discoveries. Depending on the severity of the vulnerability, a researcher can make as much as $2 million for spotting a bug, but, as one researcher shows, Apple’s perception of severity doesn’t always make sense.

A researcher who goes by RenwaX23 on X posted about the bounty received for what seems to be a critical security hole. Found in Safari, the hole is a Universal Cross-Site Scripting (UXSS) vulnerability, a type where an attacker can impersonate a user and access their data. In this instance, RenwaX23 demonstrated that the hole can be used to access iCloud and the iOS Camera app. The vulnerability was graded as Critical with a score of 9.8 (on a scale of 10), so it wasn’t a small bug.

Recorded as CVE-2025-30466, Apple fixed it in Safari 18.4, which was released with iOS/iPadOS 18.4 and macOS 15.4 update back in March. RenwaX23 received a fee for the bug discovery–a measly $1,000.




RenwX23/X

Why the low payout? Some who responded to RenwaX23’s post believe it’s because Apple does consider the ease with which a user could encounter the vulnerability. In this case, “too much user interaction is needed,” as gergely_kalman puts it, to trigger the exploit. Apple’s website states that required user interaction is part of the criteria for determining bounties, along with the number of affected users, level of access, how well the report is written (which affects how much work Apple needs to do), and other factors.

Apple’s website also provides types of vulnerabilities, pay scales, and examples, but as another poster on the thread, Taiko_soup, points out, Apple’s decisions seem arbitrary. Taiko_soup discovered a vulnerability that seemed to have a $50,000 payout, but was offered $5,000.

Security researchers put in several long hours to find holes and report them so that users can have safer software. There seems to be a lack of perspective on Apple’s part to compensate researchers appropriately for the work they do. It doesn’t look good when a company as large as Apple lowballs its payouts.

When Apple releases OS updates, such as the recent macOS Sequoia 15.6 update, they include several security fixes, as detailed on the Apple Security Releases website. On that site, Apple lists the problems that were addressed, and if you look at each specific entry, you’ll see something called a CVE number (which refers to the record kept in the Common Vulnerabilities and Exposures database) and the name of a person or group. That name is a researcher who discovered the vulnerability.