Apple Security Bounty Categories

Apple Security Bounty reward payments are made at Apple’s sole discretion and are based on the type of issue, the level of access or execution achieved, and the quality of the report. A high-quality research report is critical to help us confirm and address an issue quickly, and could help you receive an Apple Security Bounty reward.

The examples shown for each category are representative of potential Apple Security Bounty payments. While we’re unable to anticipate specific reward payments in advance, we consider every security issue that has a significant impact to users for an Apple Security Bounty reward, even if it doesn’t match a published category.

Products / Description / Reward Range
Device attack via physical access Lock Screen bypass $5,000 – $100,000 User data extraction $5,000 – $250,000
Device attack via user-installed app Unauthorized access to sensitive data $5,000 – $100,000 Elevation of privilege $5,000 – $150,000
Network attack with user interaction One-click unauthorized access to sensitive data $5,000 – $150,000 One-click with elevation of privilege $5,000 – $250,000
Network attack without user interaction Zero-click radio to kernel with physical proximity $5,000 – $500,000 Zero-click unauthorized access to sensitive data $5,000 – $500,000 Zero-click kernel code execution with persistence and kernel PAC bypass $100,000 – $1,000,000

Products / Description /
Reward Range

Device attack via
physical access

Lock Screen bypass
$5,000 – $100,000
User data extraction
$5,000 – $250,000

Device attack via
user-installed app

Unauthorized access to sensitive data
$5,000 – $100,000
Elevation of privilege
$5,000 – $150,000

Network attack with
user interaction

One-click unauthorized access to sensitive data
$5,000 – $150,000
One-click with
elevation of privilege
$5,000 – $250,000

Network attack without
user interaction

Zero-click radio to kernel with physical proximity
$5,000 – $500,000
Zero-click unauthorized access to sensitive data
$5,000 – $500,000
Zero-click kernel code execution with persistence and kernel PAC bypass
$100,000 – $1,000,000

Products	Description / Reward Range
Device attack via physical access	Lock Screen bypass $5,000 – $100,000 User data extraction $5,000 – $250,000
Device attack via user-installed app	Unauthorized access to sensitive data $5,000 – $100,000 Elevation of privilege $5,000 – $150,000
Network attack with user interaction	One-click unauthorized access to sensitive data $5,000 – $150,000 One-click with elevation of privilege $5,000 – $250,000
Network attack without user interaction	Zero-click radio to kernel with physical proximity $5,000 – $500,000 Zero-click unauthorized access to sensitive data $5,000 – $500,000 Zero-click kernel code execution with persistence and kernel PAC bypass $100,000 – $1,000,000

Products	Description	Reward Range
Device attack via physical access	Lock Screen bypass	$5,000 – $100,000
	Examples
	User data extraction	$5,000 – $250,000
	Examples
Device attack via user-installed app	Unauthorized access to sensitive data	$5,000 – $100,000
	Examples
	Elevation of privilege	$5,000 – $150,000
	Examples
Network attack with user interaction	One-click unauthorized access to sensitive data	$5,000 – $150,000
	Examples
	One-click with elevation of privilege	$5,000 – $250,000
	Examples
Network attack without user interaction	Zero-click radio to kernel with physical proximity	$5,000 – $500,000
	Examples
	Zero-click unauthorized access to sensitive data	$5,000 – $500,000
	Examples
	Zero-click kernel code execution with persistence and kernel PAC bypass	$100,000 – $1,000,000
	Examples

Some issues may qualify for an additional bonus.

Topic	Additional Bonus	Maximum Bounty
Beta Software: Issues that are unique to newly added features or code in developer and public beta releases, including regressions	50%	$1,500,000
Lockdown Mode: Issues that bypass the specific protections of Lockdown Mode	100%	$2,000,000

Topic

Beta Software: Issues that are unique to newly added features or code in developer and public beta releases, including regressions

Additional Bonus	Maximum Bounty
50%	$1,500,000

Topic

Lockdown Mode: Issues that bypass the specific protections of Lockdown Mode

Additional Bonus	Maximum Bounty
100%	$2,000,000

Topic / Description / Reward Range
Unauthorized access to iCloud account data on Apple servers Takeover of iCloud data associated with an Apple ID that doesn't belong to you $10,000 – $100,000
Remote Code Execution Command injection, deserialization bugs, XXE leading to RCE $10,000 – $50,000
Logic flaw bugs leaking or bypassing significant security controls Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, SSRF, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls $2,500 – $50,000
Unrestricted file system or database access Unsandboxed XXE, SQL injection $5,000 – $25,000
Code execution on the client/server Stored/DOM/Blind XSS, CSRF, HTML injection (more than phishing) or having write access authorization when prohibited $2,500 – $20,000
Confidential or sensitive data Generalized access control issues leading to exposure of PII $2,500 – $10,000
Domain and subdomain takeovers DNS zone, domain, and subdomain takeovers $500 – $2,500

Topic / Description /
Reward Range

Unauthorized access to iCloud account data on Apple servers

Takeover of iCloud data associated with an Apple ID that doesn't belong to you
$10,000 – $100,000

Remote Code Execution

Command injection, deserialization bugs, XXE leading to RCE
$10,000 – $50,000

Logic flaw bugs leaking or bypassing significant security controls

Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, SSRF, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls
$2,500 – $50,000

Unrestricted file system or database access

Unsandboxed XXE, SQL injection
$5,000 – $25,000

Code execution on the client/server

Stored/DOM/Blind XSS, CSRF, HTML injection (more than phishing) or having write access authorization when prohibited
$2,500 – $20,000

Confidential or sensitive data

Generalized access control issues leading to exposure of PII
$2,500 – $10,000

Domain and subdomain takeovers

DNS zone, domain, and subdomain takeovers
$500 – $2,500

Topic	Description / Reward Range
Unauthorized access to iCloud account data on Apple servers	Takeover of iCloud data associated with an Apple ID that doesn't belong to you $10,000 – $100,000
Remote Code Execution	Command injection, deserialization bugs, XXE leading to RCE $10,000 – $50,000
Logic flaw bugs leaking or bypassing significant security controls	Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, SSRF, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls $2,500 – $50,000
Unrestricted file system or database access	Unsandboxed XXE, SQL injection $5,000 – $25,000
Code execution on the client/server	Stored/DOM/Blind XSS, CSRF, HTML injection (more than phishing) or having write access authorization when prohibited $2,500 – $20,000
Confidential or sensitive data	Generalized access control issues leading to exposure of PII $2,500 – $10,000
Domain and subdomain takeovers	DNS zone, domain, and subdomain takeovers $500 – $2,500

Topic	Description	Reward Range
Unauthorized access to iCloud account data on Apple servers	Takeover of iCloud data associated with an Apple ID that doesn't belong to you	$10,000 – $100,000
Unauthorized access to iCloud account data on Apple servers	Examples
Remote Code Execution	Command injection, deserialization bugs, XXE leading to RCE	$10,000 – $50,000
Remote Code Execution	Examples
Logic flaw bugs leaking or bypassing significant security controls	Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, SSRF, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls	$2,500 – $50,000
	Examples
Unrestricted file system or database access	Unsandboxed XXE, SQL injection	$5,000 – $25,000
Unrestricted file system or database access	Examples
Code execution on the client/server	Stored/DOM/Blind XSS, CSRF, HTML injection (more than phishing) or having write access authorization when prohibited	$2,500 – $20,000
Code execution on the client/server	Examples
Confidential or sensitive data	Generalized access control issues leading to exposure of PII	$2,500 – $10,000
Confidential or sensitive data	Examples
Domain and subdomain takeovers	DNS zone, domain, and subdomain takeovers	$500 – $2,500
Domain and subdomain takeovers	Examples

Give your work an even greater purpose.

Considering donating your reward? Apple matches donations of Apple Security Bounty rewards to qualifying causes — like the Ford Foundation’s Dignity and Justice Fund, which helps combat mercenary spyware.

Definitions.

“Zero-click” refers to an exploit that requires no user interaction to successfully gain access or execution. For example, receiving an iMessage that results in photo exfiltration with zero interaction from the user.
“One-click” refers to an exploit that requires user interaction to successfully gain access or execution. For example, the user clicks a malicious link or opens a malicious file.
“Access to sensitive data” refers to limited (i.e., one or two items), partial (i.e., some large number), or broad (i.e., the full database) access to contents of Contacts, Mail, Messages, Notes, Photos, and real-time or historical precise location data — or similar user data — that would normally be prevented by the system.