Apple announced to Pay $2 Million to Anyone Who Can Bypass Its Lockdown Mode on iPhones, iPads, and Macs

In a bold move that underscores how serious it is about protecting users — and staying ahead of spyware firms — Apple has just revamped its bug bounty program. As part of this overhaul, the company announced that anyone who can successfully bypass Lockdown Mode (or otherwise chain together exploits of similar severity) could earn up to US $2 million — the highest bounty award in the industry to date. Even more striking: with bonuses for certain conditions (e.g. bugs in beta software, or bypassing Lockdown Mode protections), payouts could theoretically exceed $5 million.

What is Lockdown Mode — and Why It Matters

Lockdown Mode debuted in 2022 as Apple’s “extreme protection” feature, aimed at a small subset of users who face highly targeted attacks — from spyware vendors, state actors, or sophisticated hacking teams.

When enabled, Lockdown Mode significantly restricts device functionality to reduce the “attack surface.” Some of its protections include:

Blocking most message attachments (except images) and disabling link previews.

Disabling certain advanced web technologies (e.g. just-in-time JavaScript) unless a site is explicitly marked “trusted.”

Preventing incoming FaceTime or other service invitations from strangers if the user hasn’t previously contacted them.

Blocking wired connections with a computer/accessory whenever the device is locked.

Disallowing new configuration profiles or MDM (mobile device management) enrollment while Lockdown Mode is active.


In essence — Lockdown Mode turns many of the conveniences of a modern smartphone or computer into non-functional barriers, but does so in exchange for “maximum-security” protection. Apple designed it not for everyday users, but for a narrow group of high-risk individuals: activists, journalists, dissidents, or anyone who might be targeted by highly advanced spyware.

Why Apple Is Spending Millions for Bypass Reports

This isn’t just a publicity stunt. In a public statement, Apple emphasized that its updated bounty program is meant to keep pace with “mercenary spyware vendors” — highly funded groups that develop complex exploit chains capable of silently hacking devices without user interaction.

Historically, Apple launched its public bug bounty program in 2020. Since then, the program has awarded more than US $35 million to over 800 security researchers worldwide.

But as Apple’s security architecture grows more sophisticated — with features like Lockdown Mode and the recently introduced memory-safety protections — the company says the effort required to identify credible, real-world vulnerabilities has likewise increased. Therefore, rewards must match that complexity and effort.

To make the reward process more transparent and objective, Apple is also rolling out a new “flag system.” Called Target Flags, this mechanism allows a researcher to capture specific proof (for example: arbitrary code execution, full device compromise) which Apple can verify programmatically. Once verified, the bounty payout can be issued — even before a software fix is rolled out.

Additionally, many more categories of vulnerabilities are now eligible for increased payouts. Some examples:

Zero-click remote code execution (RCE) exploits — up to $2 million.

One-click WebKit sandbox escapes — up to $300,000 (or up to $1 million for more advanced chaining).

Wireless “proximity” exploits (attacks that can be carried out when a device is near a malicious radio signal) — up to $1 million.

Physical-device attacks (when an attacker has direct access to a locked device) — payouts up to $500,000.

Complete bypasses of macOS’s Gatekeeper controls — $100,000; unauthorized iCloud access issues — up to $1 million.


Meanwhile, less-severe bugs that aren’t part of high-impact exploit chains may still get rewarded — sometimes $1,000 or more — to encourage continuous reporting and defensive improvement.

What This Means — For Users & For Hackers

For everyday consumers, this announcement may not change much: Apple continues to believe most users don’t need Lockdown Mode, and the feature remains optional.

But for high-risk users — journalists, human-rights activists, political dissidents, or public-figures in hostile environments — the stakes have never been higher. Apple is effectively putting “bounty dollars” on the heads of the most sophisticated spyware developers and is encouraging the security community to find and responsibly disclose vulnerabilities, rather than letting those vulnerabilities be hoarded or sold to the highest bidder.

From a broader cybersecurity perspective, Apple’s move underlines the evolving landscape of digital threats. State-level and mercenary spyware firms no longer rely solely on traditional phishing or “click-bait.” Instead, they increasingly seek “zero-click” exploits — vulnerabilities that execute without user interaction, often silently and remotely. To defend against these, companies like Apple must stay one step ahead; and that means funding the defensive research community at an unprecedented scale.

Reality Check: It’s Hard — but Not Impossible

Achieving a successful Lockdown Mode bypass or building a multi-step exploit chain is extremely difficult. Apple itself notes that payouts beyond $2 million (i.e. with bonuses) are “not easy or likely.”

And while the new “Target Flags” system and expanded categories may encourage more researchers to try, not every reported bug — even if real — will qualify for the top payouts. Apple is looking for full exploit chains, not theoretical vulnerabilities. Partial bugs or low-impact issues will likely receive modest rewards (or none at all), depending on their severity and exploitability.

Still — the message is clear: Apple is willing to pay top dollar for any weakness that could undermine Lockdown Mode or otherwise compromise device security. And given the rising sophistication of real-world threats, that’s a signal worth paying attention to.