Apple has issued a new security research challenge for hackers with the main aim being the company protecting its Private Cloud Compute (PCC) servers. The company has said that if you are successful in hacking Apple’s PCC servers, you could earn up to $1 million.
Private Cloud Compute (PCC) fulfills computationally intensive requests for Apple Intelligence while providing privacy and security protections — by bringing industry-leading device security model into the cloud.
To build public trust in the system, Apple took the extraordinary step of allowing security and privacy researchers to inspect and verify the end-to-end security and privacy promises of PCC. In the weeks after Apple Intelligence and PCC were announced, Apple provided third-party auditors and select security researchers early access to the resources we created to enable this inspection, including the PCC Virtual Research Environment (VRE).
According to Apple, hackers are encouraged to look for vulnerabilities in accidental data disclosure, external compromise from user’s requests, and physical or internal access.
In other words, the bounty is split into two main categories, with five sub-categories that each have a different “price tag”.
According to Apple, however, if a hacker is aiming to win the $1 million prize, they will have to carry out a remote attack on request data, by executing an arbitrary code execution with arbitrary entitlements.
Apple’s new PCC bounty categories are aligned with the most critical threats:
- Accidental data disclosure: vulnerabilities leading to unintended data exposure due to configuration flaws or system design issues.
- External compromise from user requests: vulnerabilities enabling external actors to exploit user requests to gain unauthorized access to PCC.
- Physical or internal access: vulnerabilities where access to internal interfaces enables a compromise of the system.
Because PCC extends the industry-leading security and privacy of Apple devices into the cloud, the rewards Apple offer are comparable to those for iOS. The company awards maximum amounts for vulnerabilities that compromise user data and inference request data outside the PCC trust boundary.
Apple Security Bounty: Private Cloud Compute
| Category | Description | Maximum Bounty |
|---|---|---|
| Remote attack on request data | Arbitrary code execution with arbitrary entitlements | $1,000,000 |
| Access to a user’s request data or sensitive information about the user’s requests outside the trust boundary | $250,000 | |
| Attack on request data from a privileged network position | Access to a user’s request data or other sensitive information about the user outside the trust boundary | $150,000 |
| Ability to execute unattested code | $100,000 | |
| Accidental or unexpected data disclosure due to deployment or configuration issue | $50,000 |
Apple says that “because they care deeply about any compromise to user privacy or security”, they will consider any security issue that has a significant impact to PCC for an Apple Security Bounty reward, even if it doesn’t match a published category.
