Expecting a million and getting $1000: Apple "modestly" thanked the developer who found a critical bug in iOS

Apple promises rewards of up to $2 million to those who find serious bugs. The developer was hoping to get rich, but received only $1000 for the critical vulnerability.

This is a type of Universal Cross-Site Scripting (UXSS) vulnerability. It allows an attacker to impersonate a user to gain access to their private data. User RenwaX23 found out how UXSS can be used to get to iCloud and even the Camera in iOS.Apple recognized the bug as very serious — it was given a severity score of 9.8 out of 10. The critical vulnerability was registered as CVE-2025-30466 and a patch was released in March with Safari 18.4, which was released with iOS/iPadOS 18.4 and macOS 15.4. The problem was fixed and well, but the company offered a generous reward to the person who found the problem — only $1000.

In 2022, Apple updated its bounty program, which usually pays $40,000. Some critical vulnerabilities have already brought developers six-figure sums, for example, $175,000 was earned by a student who found a way to hijack Mac and iPhone cameras.

But at first glance, it is unclear why the company has paid so little so far. Probably the reason is that to exploit the vulnerability, the attacker had to force the user to click or open something. That is, some non-obvious interaction was required. Because of this, Apple often reduces the amount of reward. Although even with this in mind — the difference between a 9.8/10 rating and a $1000 payout raises questions.

This is not the first time this has happened. Other security researchers have already said that they received only $5000 instead of the expected $50,000. Payouts that are too low can force enthusiasts to sell their findings on the black market, where millions of dollars are offered for critical iOS or macOS vulnerabilities. It’s easier to give information to hackers for a hefty sum than to share it honestly with a corporation looking for a way to pay less than promised. Even some developers steal internal documentation to use it for their own purposes. 

Source: 9to5mac