Key Takeaways
- Researchers who uncover flaws in Apple’s new private cloud compute might receive up to $1 million.
- The reward consists of $100,000 for running unattested code and $250,000 for gaining access to user data.
- This project aims to improve AI security and privacy by growing Apple’s bug bounty program.
Researchers who find flaws in Apple’s Private Cloud Compute (PCC), which launches next week, might receive up to $1 million from the company.
Exploits that allow arbitrary code execution with arbitrary entitlements are covered by this prize. Additionally, it provides up to $150,000 for significant security flaws that allow sensitive user information to be accessed from a privileged network position and up to $250,000 for vulnerabilities that allow access to a user’s request data or sensitive information outside the trust boundary.
$100,000 is awarded for running unattested code, while $50,000 is awarded for unintentional data leaks brought on by deployment or setup problems.
“Vulnerabilities that compromise user data and inference request data outside the PCC trust boundary” are the maximum amounts that the firm grants. Even if it doesn’t fall outside one of the established categories, Apple will nonetheless evaluate any significant security issue affecting PCC for a Security Bounty award.
Apple’s AI and Security Improvement Strategy
Many of the AI functions advertised as Apple Intelligence will operate on-device, according to Apple. Simultaneously, a new operating system and Apple Silicon-powered PCC servers will handle sophisticated queries. Even though a lot of AI applications rely on servers to handle intricate operations, consumers sometimes don’t have access to security information. In order to solve this, Apple created the PCC to guarantee that its security and privacy pledges are legally enforceable and subject to independent researcher verification.
In addition to offering a tutorial on technical specs and source code, Apple’s blog describes PCC security for researchers. In order to facilitate security studies on Macs, the business has also implemented a Virtual Research Environment (VRE) for their PCC. The VRE needs a Mac with Apple Silicon and at least 16GB of unified memory, and it comes with tools for checking logs and examining software.
The incentives announcement broadens the scope of Apple’s bug bounty program, which was introduced in 2016, and encourages researchers to covertly submit problems that may impact user accounts or devices.
iOS 18.1, which is anticipated to be released next week, will introduce the first Apple Intelligence capabilities. The initial iOS 18.2 developer beta, which was made available on October 23, had important features like ChatGPT integration and Genmoji. While some AI features won’t be available until 2025, the majority are expected by year’s end.
