- Apple will pay up to €1 million. USD 1 million if security researchers find PCC security flaws
- Apple is confident in the security of its platform, so it has allowed professionals to test it
- All security and privacy researchers are invited to search for vulnerabilities in Apple's PCC
Apple will pay up to €1 million. USD 1 million if security researchers find PCC security flaws
Apple has opened its doors to all cybersecurity researchers, inviting them to test the security of its Private Cloud Computing Platform (PCC). The tech giant is offering up to €1 million for the PCC and a reward of up to USD 1 million to anyone who finds vulnerabilities in the cloud solution, which supports Apple Intelligence artificial intelligence features.
This offer comes just as everyone awaits the major iOS 18.1 update. It will be the first to include advanced artificial intelligence capabilities in iPhone AI, including improvements to the Siri voice assistant[1].
Apple's AI solutions are believed to be far more secure and private than those offered by other smartphone manufacturers, such as Samsung's "hybrid AI" used in Google's Android ecosystem.
Apple emphasizes processing user data on the device itself, rather than in the cloud. The data is routed to the Private Cloud Platform (PCC) only for more complex queries. This solution is based on a custom-designed Apple silicon server and a rigorous operating system designed specifically for privacy.
Apple is confident in the security of its platform, so it has allowed professionals to test it
Apple calls its PCC "the most advanced security architecture ever deployed at cloud IoT scale".
To demonstrate its confidence in the platform's reliability, the company has decided to allow security researchers to test the platform's resilience to breaches and find vulnerabilities. To support this effort, Apple has introduced a virtual testing environment that allows researchers to test and analyze the functionality of the PCC themselves.
"In the weeks since we introduced Apple Intelligence and PCC, we've given independent auditors and select security researchers early access to the resources we've developed, including the PCC Virtual Research Environment," Apple explained in a new blog post.
All security and privacy researchers are invited to search for vulnerabilities in Apple's PCC
And on 24 October, Apple made these resources publicly available and invited all security and privacy researchers - or anyone with an interest and curiosity about the technical side of things - to contribute to a review of the platform. The company states that their aim is to "learn more about PCC and allow researchers to independently verify our claims".
"At the same time, Apple is expanding its Security Bounty program to include PCCs and offering a "significant reward" for any reports of potential problems that may pose a security or privacy threat[2].
The company's reward for finding vulnerabilities in PCCs is truly impressive. For major breaches that allow "remote access to a data request," the company is offering €1 million. The company is offering a USD 1 million reward for finding random code execution vulnerabilities. Meanwhile, access to user query data or sensitive information that is outside the security perimeter carries a $250,000 fine. USD 250.
"We reward the largest amounts for vulnerabilities that compromise user data and place query data outside the [PCC's] trust," Apple said.
For attacks that require a "privileged position" - where an investigator has direct access to another user's iPhone - the company is offering $150,000. The company is offering a reward of USD 150,000 if these vulnerabilities give access to user data or other sensitive information outside the security perimeter.
"Because we care deeply about any compromise to consumer privacy or security, we will consider all security concerns that have a significant impact on PCC and may award a reward even if the vulnerability does not fit into the published categories," Apple said.
Apple states that each notification will be assessed based on the quality of its information, evidence of how the vulnerability can be exploited, and the potential impact on consumers. Security researchers interested in this program can visit the Apple Security Bounty page for more information and to submit their research. This Apple initiative is not only an innovative way to ensure the highest level of security for PCCs, but also a great opportunity for security researchers to contribute to developing critical privacy solutions.