In the high-stakes world of bug bounties, where security researchers hunt down vulnerabilities to keep our digital lives safe, a recent case has left the infosec community buzzing — and not in a good way.
A researcher known as RenwaX23 uncovered a critical flaw in Safari (rated a staggering 9.8 out of 10 on the CVSS vulnerability scale), detailed in a post on X. This hole allowed hackers to impersonate users, launch the camera, and rummage through iCloud data. Apple patched it in the iOS 18.4 update, but their reward? A measly $1,000.
For a company with a market capitalization hovering around $3 trillion, this payout feels less like a thank-you and more like pocket change—or, as some have quipped, not even enough to cover the cost of the latest iPhone 16 Pro Max. The bug, tracked as CVE-2025-30466, was no small fry. RenwaX23 demonstrated its severity with proof-of-concept videos showing iCloud data theft and camera access on both iOS and macOS. Yet, Apple’s response has ignited a firestorm of debate.
The infosec community is divided. Some argue the exploit required significant user interaction, making it less of an immediate threat and justifying the modest reward under Apple’s bounty guidelines, which consider factors like ease of exploitation and report quality. Others are less forgiving, labeling Apple as downright stingy. Comparisons are flying — some recall past cases where vulnerabilities granting access to personal photos fetched a cool $5,000, still a far cry from the potential millions other tech giants have paid for similar finds.
Also read:
- KPop Demon Hunters: Netflix’s New ‘Frozen’ in a Shifting Animation Landscape
- A Few Intriguing New Details About the State of Marvel Studios
- Mark Zuckerberg Gains $26 Billion in a Single Day, Outpacing H&M’s Valuation
RenwaX23 himself expressed frustration, hinting at quitting the bug bounty game altogether after the underwhelming payout. Replies on X range from sympathetic (“It’s like they want you to sell these to someone else”) to sarcastic (“Wow, you can buy 0.6 iPhones with that!”). With the vulnerability’s critical nature and Apple’s deep pockets, the $1,000 feels more like an insult than an incentive, especially when the researcher’s work likely took dozens of hours.
