Security researchers play a crucial role in software development and identify and discover vulnerabilities. It is so important that the Apple Security Research runs a security bounty program that offers payments to researchers for their discoveries. Depending on the severity of the vulnerability, a scientist can earn as much as $ 2 million to detect a mistake, but as a researcher shows, Apple’s perception of difficulty does not always make sense.
A researcher passing by Renwax23 on X posted about the bounty that was received for what seems to be a critical security hole. Found in Safari, the hole is a universal across scripting (UXSS) vulnerability, a type where an attacker can mimic a user and access their data. In this case, Renwax23 demonstrated that the hole can be used to access iCloud and iOS camera app. The vulnerability was classified as critical with a score of 9.8 (on a scale of 10), so it was not a small error.
Recorded as CVE-2025-30466 Apple got it in Safari 18.4, which was released with iOS/iPados 18.4 and MacOS 15.4 update back in March. Renwax23 received a fee for the error discovery – an unclear $ 1,000.
Why the low payout? Some who responded to Renwax23’s post thinks it is because Apple is considering the ease that a user could encounter vulnerability. In this case, “too much user interaction is needed” as gergely_kalman puts it in order to trigger the utilization. Apple’s Website says the required user interaction is part of the criteria for determining bounties along with the number of users affected, access level, how well the report is written (which affects how much work Apple needs) and other factors.
Apple’s Website also provides types of vulnerabilities, pay scales and examples, but as another poster on the thread, Taiko_Soup, points out, Apple’s decisions seem arbitrary. Taiko_Soup discovered a vulnerability that seemed to have a $ 50,000 payout but was offered $ 5,000.
Security researchers set several long hours finding holes and reporting them so users can have a safer software. There seems to be a lack of perspective from Apple to compensate researchers appropriately for the work they are doing. It doesn’t look good when a company as big as Apple Lowballs its payouts.
When Apple releases us — Updates, such as the recent macOS SEQUOIA 15.6 -UPDATE, they Includes multiple security fixes, as described on thE Apple Security releases the site. On this site, Apple lists the problems that were being dealt with and if you look at each specific post, you will see something called a CVE number (which refers to the item stored in the database of the Common vulnerabilities and exposures) and the name of a person or group. This name is a scientist who discovered the vulnerability.