Apple is offering a $1 million (£770,000) bounty for flaws that could be used by hackers to run code in Private Cloud Compute (PCC), the cloud system used to power advanced AI features that can't run on device.
Bug bounty programs are a popular way for technology companies to incentivise security researchers to seek out vulnerabilities in their code, offering rewards for any flaws found. Last year, Google paid out more than $10 million on bug bounties to more than 600 researchers, including its largest ever reward at the time worth $605,000.
Apple unveiled Apple Intelligence, its system for generative AI on iPhones, iPads and Mac computers, earlier this year. While some AI features process data on devices for privacy reasons, advanced features that require more processing power are handled by Apple's new cloud, Private Cloud Compute.
Apple says it designed its cloud system to have the same levels of security and privacy as Apple devices, including not allowing Apple itself to view the data, in order to help build user trust in AI — or at least AI on Apple devices.
To help Apple spot vulnerabilities in those cloud servers, it has extended its pre-existing bounty program to cover PCC — with big rewards for the most dangerous flaws.
"To further encourage your research in Private Cloud Compute, we’re expanding Apple Security Bounty to include rewards for vulnerabilities that demonstrate a compromise of the fundamental security and privacy guarantees of PCC," the company said in a post outlining the bug bounty.
Apple noted that the bounties are in line with those for iOS — which makes sense as PCC is pushed as an extension of a user's device.
For iOS, Apple also has bounties stretching from $5,000 to $1 million, and even offers bonus payouts that could take rewards to the $2 million mark for iOS flaws in new features in beta software or that target lockdown mode.
Apple's bountiful bounties
The new PCC bounty rules are centered on what Apple sees as the most serious threats: accidental data disclosure, external compromise from user requests (such as flaws that allow hackers to exploit the system), and physical or internal access.
"We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the PCC trust boundary," the post added.
Apple splits the PCC bounties into two main categories. It will pay rewards from $50,000 to $150,000 for attacks from a privileged network position, with the highest payouts for vulnerabilities that can access a user's request data or other sensitive information.
The biggest bounty is for the second category, remote attacks on request data. Flaws that would allow access to data could earn a bounty up to $250,000 while those that allow code execution could be rewarded with up to $1 million.
Apple added that it still wants to hear about flaws that land outside these categories, of course.
"Because we care deeply about any compromise to user privacy or security, we will consider any security issue that has a significant impact to PCC for an Apple Security Bounty reward, even if it doesn’t match a published category," the post added.
