According to AppleInsider, security researcher Csaba Fitzl has publicly complained about reduced payments from Apple’s bug bounty program for discovered macOS flaws, despite Apple announcing in October that it would raise maximum payouts in November. While the company increased rewards for high-profile exploit chains to as high as $2 million, specific macOS categories saw drastic cuts. For example, payouts for full TCC (Transparency, Consent, and Control) privacy bypasses dropped from $30,500 to just $5,000, and other individual TCC categories fell from between $5,000 and $10,000 to a flat $1,000. Under the updated program, some low-impact findings, like a malicious app gaining access to a single data class, now earn only $1,000. Apple also introduced a new $100,000 award for a full macOS Gatekeeper bypass with no user interaction, but the overall trend for Mac-specific bugs is a significant devaluation.
The Mac Gets a Raw Deal
Here’s the thing: Fitzl has a point. Slashing the reward for a full TCC bypass—a major privacy failure—by over 80% sends a pretty clear message. It basically says, “We don’t value finding these holes in macOS as much as we used to.” And when a researcher who specializes in macOS security says this feels like Apple admitting it “can’t fix everything and it doesn’t care anymore,” you have to listen. That’s a damning indictment from someone inside the community. The risk here isn’t just hurt feelings; it’s practical. Fitzl argues there already aren’t many people hunting for Mac vulnerabilities. So what happens when you make the financial carrot even smaller? The herd thins out. Researchers might just pack up and focus on iOS, where the bounties are life-changing, or worse, take their macOS exploits to the gray or black market where they can command a much higher price. Apple might be saving some cash on the bounty front, but could be creating a more expensive security problem down the line.
Apple’s Numbers Game
Now, to play devil’s advocate, Apple’s strategy isn’t completely irrational. Look at the numbers. They raised the bounty for a zero-click, remote iOS exploit chain to a staggering $2 million. Attacks with one click can now net $1 million, up from $250k. That’s where the clear and present danger is for Apple’s business and its vast user base. The iPhone is the revenue engine and the device in billions of pockets. A devastating remote iOS exploit is an existential threat. A local TCC bypass on a Mac, while serious, affects a much smaller user base and often requires some level of user interaction or physical access. From a pure risk-management and “return on investment” perspective, you pour money into protecting your crown jewel. It’s a brutal, corporate calculus. But is it the right calculus for security? I’m not so sure. Neglecting the Mac platform creates a soft underbelly. It tells attackers, “Hey, over here, the defenses are cheaper to bypass and the rewards for doing so are lower for the good guys.” That seems like a dangerous signal to send.
A Broader Security Dilemma
So where does this leave us? Apple is trying to incentivize research on the most critical, wide-impact attack vectors, which makes sense. But in doing so, they’re disincentivizing the hard, grinding work of securing a complex desktop OS. It’s like only paying top dollar for someone who can breach the front gate of a fortress, but offering peanuts to the people who find the faulty locks on all the side doors and windows. A determined attacker doesn’t just use one exploit; they chain them together. A $1,000 TCC bypass might be a perfect link in that chain. By devaluing these components, Apple might be making it cheaper for threat actors to build powerful attacks, even if the initial entry point is still expensive. They’ve also rolled out a blanket $1,000 award for low-impact issues to encourage reporting, which is good, but it further flattens the value curve. The whole situation highlights the tricky balance of running a bug bounty program. You’re trying to crowdsource your security, but you also have to budget for it. Right now, the budget clearly says: iPhone first, Mac maybe later. For a company that still sells premium Mac hardware and touts its privacy stance, that’s a tough look.
