Apple Security Bounty

Apple will pay you $1 million if you can hack its intelligence

If you are successful in hacking Apple’s PCC servers, you could earn up to $1 million

Last updated:

Apple has issued a new security research challenge for hackers with the main aim being the company protecting its Private Cloud Compute (PCC) servers. The company has said that if you are successful in hacking Apple’s PCC servers, you could earn up to $1 million.

Private Cloud Compute (PCC) fulfills computationally intensive requests for Apple Intelligence while providing privacy and security protections — by bringing industry-leading device security model into the cloud.

To build public trust in the system, Apple took the extraordinary step of allowing security and privacy researchers to inspect and verify the end-to-end security and privacy promises of PCC. In the weeks after Apple Intelligence and PCC were announced, Apple provided third-party auditors and select security researchers early access to the resources we created to enable this inspection, including the PCC Virtual Research Environment (VRE).

According to Apple, hackers are encouraged to look for vulnerabilities in accidental data disclosure, external compromise from user’s requests, and physical or internal access.

In other words, the bounty is split into two main categories, with five sub-categories that each have a different “price tag”.

According to Apple, however, if a hacker is aiming to win the $1 million prize, they will have to carry out a remote attack on request data, by executing an arbitrary code execution with arbitrary entitlements.

Apple’s new PCC bounty categories are aligned with the most critical threats:

  • Accidental data disclosure: vulnerabilities leading to unintended data exposure due to configuration flaws or system design issues.
  • External compromise from user requests: vulnerabilities enabling external actors to exploit user requests to gain unauthorized access to PCC.
  • Physical or internal access: vulnerabilities where access to internal interfaces enables a compromise of the system.

Because PCC extends the industry-leading security and privacy of Apple devices into the cloud, the rewards Apple offer are comparable to those for iOS. The company awards maximum amounts for vulnerabilities that compromise user data and inference request data outside the PCC trust boundary.

Apple Security Bounty: Private Cloud Compute

CategoryDescriptionMaximum Bounty
Remote attack on request dataArbitrary code execution with arbitrary entitlements$1,000,000
Access to a user’s request data or sensitive information about the user’s requests outside the trust boundary$250,000
Attack on request data from a privileged network positionAccess to a user’s request data or other sensitive information about the user outside the trust boundary$150,000
Ability to execute unattested code$100,000
Accidental or unexpected data disclosure due to deployment or configuration issue$50,000

Apple says that “because they care deeply about any compromise to user privacy or security”, they will consider any security issue that has a significant impact to PCC for an Apple Security Bounty reward, even if it doesn’t match a published category.