Apple is taking its server safety very seriously. The $3.5 trillion software giant is challenging hackers to break into the company’s tech—and a $1 million check is up for grabs to those who succeed.
The “security research challenge” coincides with Apple’s rollout of its new AI-powered Apple Intelligence offering, as part of iOS 18.1.
The server on which many of the Intelligence commands are run is called the Private Cloud Compute (PCC) server—and Apple is desperate to protect that server from any cyberattacks, hacks, or security breaches.
The company swiftly sent out a call to amateur hackers and security experts alike to attempt to poke holes in its PCC: “Today we’re making these resources publicly available to invite all security and privacy researchers—or anyone with interest and a technical curiosity—to learn more about PCC and perform their own independent verification of our claims,” Apple wrote in a statement last week. “And we’re excited to announce that we’re expanding Apple Security Bounty to include PCC, with significant rewards for reports of issues with our security or privacy claims.”
The tech firm also supplied a security guide for the server, detailing how it functions, how it authenticates requests, and how it’s built to protect against break-ins. It even released the source code for some parts of PCC on GitHub.
Then it outlined the rewards for anyone willing to give it a whirl: anywhere from hundreds of thousands to millions of dollars, depending on the difficulty and gravity of the hack.
The parameters of the bug bounty
So just how much could you take home if you manage to break into Apple’s servers? “We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the PCC trust boundary,” Apple explained, before breaking down the bug bounty on offer.
- If you're able to hit upon "accidental or unexpected data disclosure due to [a] deployment or configuration issue," you'll get $50,000.
- Moving up the chain, if you can "execute unattested code," you'll get $100,000.
- Gaining "access to a user's request data or other sensitive information about the user outside the trust boundary" gets you $150,000, while access to sensitive information about the user's requests outside the trust boundary gets $250,000.
In the blog post explaining the challenge, Apple wrote that it considers PCC to be the “most advanced security architecture ever deployed for cloud AI compute at scale, and we look forward to working with the research community to build trust in the system and make it even more secure and private over time.”
What's more, if a hacker spots a security issue not covered by Apple’s outline, the company still promises to consider providing a bounty.
And the big-ticket ask? If a hacker is able to pull off “arbitrary execution of code without the user's permission or knowledge with arbitrary entitlements,” they’ll be awarded $1,000,000.