Safety researchers play a vital function in software program growth, figuring out and discovering vulnerabilities. Itβs so necessary that Apple Safety Analysis runs a Safety Bounty Program that provides payouts to researchers for his or her discoveries. Relying on the severity of the vulnerability, a researcher could make as a lot as $2 million for recognizing a bug, however, as one researcher exhibits, Appleβs notion of severity doesnβt at all times make sense.
A researcher who goes by RenwaX23 on X posted in regards to the bounty acquired for what appears to be a important safety gap. Present in Safari, the opening is a Common Cross-Web site Scripting (UXSS) vulnerability, a kind the place an attacker can impersonate a person and entry their knowledge. On this occasion, RenwaX23 demonstrated that the opening can be utilized to entry iCloud and the iOS Digital camera app. The vulnerability was graded as Vital with a rating of 9.8 (on a scale of 10), so it wasnβt a small bug.
Recorded as CVE-2025-30466, Apple mounted it in Safari 18.4, which was launched with iOS/iPadOS 18.4 and macOS 15.4 replace again in March. RenwaX23 acquired a price for the bug discoveryβa measly $1,000.
Why the low payout? Some who responded to RenwaX23βs put up imagine itβs as a result of Apple does take into account the convenience with which a person might encounter the vulnerability. On this case, βan excessive amount of person interplay is required,β as gergely_kalman places it, to set off the exploit. Appleβs web site states that required person interplay is a part of the standards for figuring out bounties, together with the variety of affected customers, stage of entry, how properly the report is written (which impacts how a lot work Apple must do), and different elements.
Appleβs web site additionally offers varieties of vulnerabilities, pay scales, and examples, however as one other poster on the thread, Taiko_soup, factors out, Appleβs choices appear arbitrary. Taiko_soup found a vulnerability that appeared to have a $50,000 payout, however was provided $5,000.
Safety researchers put in a number of lengthy hours to search out holes and report them in order that customers can have safer software program. There appears to be a scarcity of perspective on Appleβs half to compensate researchers appropriately for the work they do. It doesnβt look good when an organization as giant as Apple lowballs its payouts.
When Apple releases OS updates, such because the latest macOS Sequoia 15.6 replace, they embody a number of safety fixes, as detailed on theΒ Apple Safety Releases web site. On that website, Apple lists the issues that have been addressed, and in the event you take a look at every particular entry, youβll see one thing known as a CVE quantity (which refers back to the report stored within the Widespread Vulnerabilities and Exposures database) and the title of an individual or group. That title is a researcher who found the vulnerability.
