Bug bounty programs remain a crucial component of cybersecurity strategies in 2025, offering organizations the ability to draw in help from a diverse pool of cybersecurity professionals and researchers. The schemes offer continuous testing against emerging threats.
What are bug bounty programs?
Bug bounty programs are structured systems for individuals to identify and report security vulnerabilities and other bugs. They are offered by organizations, websites, and software developers. These programs are designed to leverage the skills of ethical hackers to enhance the security of software and systems before malicious parties can exploit these vulnerabilities.
Participants, often referred to as bug bounty hunters, earn financial rewards or other forms of recognition for successfully reporting vulnerabilities in assets covered by bug bounty programs. Exploits achieved through social engineering trickery such as phishing are typically excluded.
Bug bounty programs focus in 2025
For ethical hackers, best practice for bug bounty hunting in 2025 involves thorough reconnaissance of a target organization’s technology stack, rather than just running automated tools.
Leading bug bounty platforms such as Bugcrowd, HackerOne, Synack, YesWeHack, and Intigriti offer rewards for identifying and reporting security vulnerabilities. Platforms connect ethical hackers with organizations, providing a structured framework for vulnerability disclosure and resolution — managing bug bounty rewards on behalf of their corporate clients.
Technology providers and government organizations run stand-alone bug bounty programs as part of a broader security testing strategy that also includes penetration tests.
Over the past 12 months bug bounties have begun offering increased payouts and broader scope. Traditional web and mobile categories are being supplemented by an increased focus on AI systems and critical infrastructure.
“In the past year, Accenture has seen bug bounty go AI-assisted at scale: Researchers lean on AI, programs incorporate AI systems in bounty scope, and prompt-injection findings have surged,” Ryan Whelan, Accenture global cyber intelligence lead, tells CSO.
“Vendors now pay for full exploit chains, not one-off bugs,” Whelan says, adding that this shows how the bug bounty market has matured to reward researchers for vulnerabilities that have “real-world impact and reproducibility.”
Here are the notable programs launched or expanded in 2025.
Apple increases rewards and expands bounty program
Apple doubled the maximum reward for zero-click iPhone remote exploits from $1 million to $2 million, with additional bonuses for uncovering complex exploit chains pushing potential payouts up to $5 million or more.
Apple also significantly increased rewards in other categories to encourage more intensive research. This includes $100,000 for a complete macOS Gatekeeper bypass, and $1 million for broad unauthorized iCloud access.
The vendor also added WebKit browser and wireless proximity exploits into the scope of its revamped Apple Security Bounty program. The most severe One-click WebKit sandbox escapes can earn up to $300,000. Payouts of up $1 million are payable for wireless proximity exploits.
The updates — which come into effect in November 2025 — are in response to a febrile threat environment, exemplified by sophisticated exploit chains historically associated with state actors that are being harnessed by spyware vendors in targeted attacks, Apple warns in a blog post on its revamped program.
Google launches dedicated AI-related bug bounty program
Google launched a dedicated AI Vulnerability Reward Program in October 2025. The scheme aims to incentivize security researchers to focus on uncovering previously undiscovered flaws in the vendor’s AI-based product and services, such as Gemini.
Eligible exploits include those that lead to unauthorized account or data modifications, data exfiltration, model theft, or phishing enablement. Rewards operate in tiers from $5,000 up to $30,000. Prompt injections or jailbreaks are out of scope and not eligible for any rewards.
The tech giant also increased the rewards offered through its core bug bounty program, increasing the highest category rewards for researchers who discover flaws in Google Chrome to $250,000. Expanded categories and higher rewards pushed the total amount paid out by Google’s Vulnerability Reward Program to $12 million throughout 2024.
Microsoft continues Zero Day Quest
Microsoft expanded its AI Copilot bug bounty, with rewards up to $30,000 for code injection and other severe vulnerabilities.
The technology giant also announced plans for its largest hacking event, “Zero Day Quest,” due to take place in spring 2026 and focused on uncovering cloud and AI vulnerabilities in products such as Microsoft Azure, Copilot, Identity, and M365.
Next year’s event follows the successful conclusion of an inaugural event in April, which focused on high impact vulnerabilities in Copilot and cloud and led to payouts of more than $1.6 million.
Microsoft paid out a total of $17 million to 344 security researchers this year, the company announced in August.
Samsung puts a premium on mobile security
Samsung launched a new bug bounty for mobile devices, offering up to $1 million for ethical hackers who discover and report critical flaws in core mobile systems.
The highest awards are on offer for high-impact bugs that present an arbitrary code execution risk on highly privileged targets or that bypass in-built security protections such as the Knox Vault or the TEEGRIS OS security platform.
The program covers vulnerabilities in Samsung’s smartphones, tablets, wearable devices, personal computers, services, and applications. Potential rewards vary depending on product as well as the severity of uncovered flaws.
Anthropic offers rewards for jailbreaking Claude
In May 2025, Anthropic launched a new bug bounty initiative, run through HackerOne, to stress-test advanced safety classifiers protecting Claude models. The invite-only trial program offered rewards of up to $25,0000 for vulnerabilities that reliably bypass AI safety constraints.
The scheme ran for a few weeks before it was replaced by a program focused on stress-testing Constitutional Classifiers system on the new Claude Opus 4 model. In August the scheme was further refined to offer rewards of up to $15,000 to pre-invited researchers who identify AI safety mitigation shortcomings in early pre-release versions of Anthropic’s Claude AI assistant.
OpenAI levels up bug bounty reward program
In March, OpenAI dramatically increased the potential payouts for those who discovered critical vulnerabilities in its AI models and infrastructure from $20,000 to $100,000.
Assets that are in scope include ChatGPT, Open AI’s APIs, Open API corporate information and website, as explained in much more depth in Open AI’s program page on Bugcrowd.
Nvidia scales up security defenses
Chip giant Nvidia has teamed up with bug bounty platform Intigriti to launch a bug bounty and no financial reward vulnerability disclosure program (VDP), which is due to go live early in 2026.
Nvidia products will be covered by a private bug bounty program. An additional private bug bounty package will cover core AI assets. The VDP extends to all other Nvidia assets, such as its website.
Shields up
Belgian higher eduction and healthcare tech provider Shield has partnered with Intigriti to launch a vulnerability disclosure program.
“[The] partnership provides essential support and services on vulnerability disclosure programs for critical national infrastructure (CNI) organizations such as hospitals, that now need to comply with NIS2 [EU cybersecurity regulation],” Intigriti said in a statement about the deal.
Cryptonomicon
Last December virtual assets platform Crypto.com upgraded its existing bug bounty program with HackerOne, providing up to $2 million in rewards for the reporting of critical security vulnerabilities. The boost made the vendor’s technology the most lucrative target for bug bounty hunters before recent enhancement to Apple’s program.
[For a look at last year’s top announcements, see “12 notable bug bounty programs launched in 2024.”]