Researcher reports critical Safari bug, gets just $1,000 from Apple

A security researcher known as RenwaX23 received only $1,000 from Apple after reporting a critical vulnerability, despite the company advertising bug bounty rewards of up to $2 million.

The flaw, found in the Safari browser, allowed attackers to impersonate users and gain access to sensitive data, including iCloud files and the camera app. The vulnerability, tracked as CVE-2025-30466, received a severity score of 9.8 out of 10.

The issue was patched in iOS 18.4 in March 2025. For discovering it, RenwaX23 was awarded just $1,000. He commented:

Apple awarded me only $1,000 for this bug, I should quit this bug bounty thing and get a real job.

Some users speculated that the modest payout was due to the exploit’s complexity and limited reproducibility, which often affects reward size. Others criticized Apple’s bounty process as inconsistent and opaque.