Just weeks after raising payouts under its Security Bounty program to record levels, Apple has quietly moved in the opposite direction for macOS. The company has significantly reduced cash rewards for reporting Mac-related security vulnerabilities—an eyebrow-raising shift at a time when macOS malware and targeted attacks are becoming more common.
According to macOS security researcher Csaba Fitzl, recent changes to Apple’s macOS-focused bounty categories have cut rewards anywhere from 50% to as much as 83%, depending on the type of flaw being reported. For researchers who spend serious time finding and responsibly disclosing bugs, those numbers aren’t a small trim—they can fundamentally change whether macOS vulnerability research is worth the effort.
One of the biggest reductions affects TCC bypasses. TCC (Transparency, Consent, and Control) is the macOS permission system designed to prevent apps from accessing sensitive data—like files, photos, microphone, camera, and other protected resources—without the user explicitly allowing it. Vulnerabilities that fully bypass TCC can let malicious apps reach that information silently, which is why these bugs have historically commanded high payouts. Now, the reward for a full TCC bypass has reportedly dropped by roughly 83%, falling to $5,000 from the previous $30,500.
Apple has also reduced rewards for macOS sandbox escape vulnerabilities. Sandboxing is a core macOS security mechanism meant to restrict what apps can do, even if they’re compromised. Sandbox escapes are a big deal because they can allow an attacker to break out of those restrictions and gain broader system access. The reported payout for these issues has been cut by about 50%, dropping to $5,000 from around $10,000.
There are also lower-tier adjustments that further narrow incentives. For instance, a vulnerability that can access sensitive data protected by TCC (such as Photos) but doesn’t use the TCC Target Flag is now reportedly eligible for a $1,000 reward. For many researchers, that kind of payout may not justify the weeks of investigation, proof-of-concept development, and responsible disclosure work required to report it properly.
These cuts land in a security landscape where Apple has undeniably invested in protection measures across its ecosystem. The company introduced Lockdown Mode for people at elevated risk of targeted attacks, reducing exposure by limiting certain features like attachments and link previews. Safari has also seen significant security hardening over time. On the hardware side, Apple continues to push security capabilities such as memory-protection features that help mitigate issues like memory corruption—an area often exploited in real-world attacks.
Even with those improvements, bounty programs matter because they help locate complex vulnerabilities before criminals do. When payouts drop sharply—especially for higher-impact macOS categories—it can discourage researchers from prioritizing Mac security work or push them toward other platforms and programs that offer better compensation.
The concern isn’t just about money; it’s about incentives. macOS security relies on a steady pipeline of responsible vulnerability reporting. Reducing rewards for some of the most critical Mac-related bug classes could be seen as a step backward, potentially leaving more weaknesses undiscovered or unreported for longer—exactly the wrong direction as macOS threats continue to evolve.
