This bounty hunter reported a critical bug to Apple. He only got $1,000

Security researchers play a crucial role in the development of software, the identification and discovery of vulnerabilities. It is so important that Apple Security Research manages a safety premium program which offers payments to researchers for their discoveries. Depending on the severity of vulnerability, a researcher can win up to $ 2 million to locate a bug, but, as a researcher shows, the perception of gravity does not always make sense.

A researcher who goes by Renwax23 on X posted on the premium received for what seems to be a critical security hole. Found in Safari, the hole is a universal vulnerability of cross script script (UXSS), a type where an attacker can pretend to be a user and access his data. In this case, Renwax23 has shown that the hole can be used to access iCloud and the iOS camera application. Vulnerability was noted as critical with a score of 9.8 (on a scale of 10), so it was not a small bug.

Saved as CVE-2025-30466, Apple corrected it in Safari 18.4, which was published with iOS / iPados 18.4 and MacOS 15.4 up to date in March. Renwax23 received costs for the discovery of bugs – a meager $ 1,000.

Why low payment? Some who responded to the Renwax23 post believe that it is because Apple considers the ease with which a user could meet vulnerability. In this case, “too much user interaction is necessary”, as Gergely_kalman says to trigger the feat. The Apple website indicates that the required user interaction is part of the premium determination criteria, as well as the number of affected users, the level of access, the way in which the ratio is written (which affects the work that Apple must do) and other factors.

The Apple website also provides types of vulnerabilities, remuneration scales and examples, but as an other poster on the wire underlines, Taiko_soup, Apple’s decisions seem arbitrary. Taiko_soup discovered a vulnerability that seemed to have a payment of $ 50,000, but which was offered $ 5,000.

Security researchers have spent several long hours to find holes and report them so that users can have safer software. There seems to be a lack of perspective on the part of Apple to compensate for researchers appropriately for the work they do. He does not seem good during a company as large as Apple Lowball his payments.

When Apple publishes updates to the operating system, such as the recent update MacOS Sequoia 15.6, they Include several security corrections, such as detailed on thE Apple Security Releases Website. On this site, Apple lists the problems that have been resolved, and if you look at each specific input, you will see something called a CVE number (which refers to the recording kept in the common database of vulnerabilities and exhibitions) and the name of a person or group. This name is a researcher who has discovered vulnerability.