Security researcher quips maybe it's time to get 'a real job' after being paid meagre $1,000 bug bounty by Apple

We have a lot to thank security researchers for. Between uncovering yet more vulnerabilities in Google Chrome, and exposing an embarrassing data leak in a popular sex toy app (no, really), these white hat hackers tend to make our digital existence safer in the long run. Surely some compensation from the multi-million dollar corporations caught in a virtually compromising position is the least these techies could ask for?

Security researcher Renwa recently found a number of high severity vulnerabilities affecting Apple's Safari browser and Sequoia OS. This included an absolute doozy that could've allowed bad actors to bypass Same Origin Policy in a UXSS (Universal Cross-site Scripting) style attack. Despite this vulnerability being so severe it enjoyed the dubious honour of a 9.8 (critical) CVSS score, Renwa say they were only paid $1,000 for reporting the issue to Apple.

Apple gave credit where credit is due with regards to their security update for Safari 18.4, crediting Renwa for finding a number of issues and explaining they've since addressed CVE-2025-30466 specifically through "improved state management."

However, the reward feels like a small sum for spotting an issue that could've exposed an untold number of Apple users to hackers, especially when you consider the fact $1,000 doesn't even cover rent in a number of US cities. In their post on X, Renwa quips, "I should quit this bug bounty thing and get a real job."

Rent anxiety aside, $1,000 is especially low considering Apple has placed a bounty of up to $1 million for the finding of other flaws, such as vulnerabilities within its Private Cloud Compute servers. So, it's hardly the case that Apple is stingy overall. Then there's the fact Google recently awarded $1,000 to security researchers uncovering a number of medium and low severity Chrome vulnerabilities, with some even netting upwards of $2,000 for these relatively less critical issues. With this in mind, it's especially baffling that a vulnerability rated as high as 9.8 would be deemed such low value by Apple.

Speaking of, let's take a tour through some of the bug bounties offered by various other major players. For instance back in 2021, Valve awarded one white hat hacker $7,500 for reporting a Steam Wallet infinite funds flaw. Almost a decade earlier the same company had paid another security researcher $20,000 for highlighting an exploit that allowed hackers to generate all the Steam keys they could ever want.

And it's not just Valve with a track record of putting its money where its mouth is: Back in 2022, Rockstar awarded $10,000 to a GTA Online player that helped fix the game's slow loads. And then last year, Riot announced an especially beefy bounty for anyone who could find holes in Valorant's Vanguard anticheat (though admittedly this was intended more as a show of confidence in their own tech than paying security researchers what they're worth).

But Renwa isn't the only one getting undercut as of late. Remember the Lovense leak I mentioned up top? The core issue was reported and partially fixed multiple times over the years, but security researcher @Krissy was only paid $350 when they discovered the issue back in September 2023. According to BobDaHacker, their group of security researchers then saw $3,000 in total for reporting the same core issue years later.

Considering that all it takes to spell disaster for businesses both big and small is one correctly guessed password or a particularly nasty ransomware attack, I for one think it wouldn't hurt to more consistently pay security researchers what they're worth.

Best gaming PC 2025

👉Check out our full guide👈

1. Best overall:
HP Omen 35L

2. Best budget:
Lenovo Legion Tower 5i

3. Best compact:
Velocity Micro Raptor ES40

4. Alienware:
Alienware Aurora

5. Best mini PC:
Minisforum AtomMan G7 PT