Apple is preparing to introduce the first set of features for its AI-powered Apple Intelligence in the next few days. In a precautionary move ahead of the release, the company has also expanded its bug bounty program. Apple has announced a reward of 1 million dollars i.e. more than Rs 8 crore for the person who hacks the server of Apple Intelligence. Why? The Cupertino giant aims to identify vulnerabilities in its private cloud compute (PCC) platform, ensuring stronger security for its new AI-powered services.

Apple Intelligence was introduced at WWDC 2024 and is expected to launch with the iOS 18.1 update. The AI-powered suite will bring key features designed to enhance Siri, strengthen device privacy, and secure on-device processing of AI tasks. However, amid concerns over the potential misuse of AI and demand for safer, private AI alternatives, Apple is taking extra precautions to make its platform as resilient as possible against cyber threats. And if someone identifies problems with the servers, Apple is willing to offer a substantial reward for their efforts.

Apple’s bug bounty program

Following the initial announcement of Apple Intelligence, Apple has opened up its PCC infrastructure to security experts and researchers. The PCC system supports the cloud processing needs of Apple Intelligence and is built on Apple’s custom Silicon servers, which run a security-hardened operating system specifically designed to prevent breaches and data leaks. The program allows participants to test PCC’s security architecture, which Apple claims is “the most advanced security architecture ever deployed for cloud AI computation at scale.”

Apple is inviting security researchers from around the world to examine the PCC infrastructure and identify potential security gaps that could expose user data. By engaging independent researchers through the Virtual Research Environment (VRE), Apple aims to increase transparency and detect underlying vulnerabilities.

Rewards under Bug Bounty Program

Under the Bug Bounty Program, Apple has categorized vulnerabilities into three main areas, each with different reward levels based on risk and complexity.

1. Accidental data disclosure: Apple will reward up to $250,000 to the person who uncovers vulnerabilities that expose data due to configuration or design flaws in Apple Intelligence’s servers – PCC. This level focuses on accidental disclosures, which often result from incorrect permissions or unexpected interactions between systems.
2. External compromise from user requests: Under this category Apple is looking to address security gaps that could allow an attacker to gain unauthorized access to the PCC by exploiting user requests. If someone successfully violates this category, Apple will reward them up to $1 million, especially if it involves arbitrary code execution affecting user data.
3. Physical or Internal Access: With awards up to $150,000, this tier covers vulnerabilities arising from internal access points within Apple PCC systems. Hacks here may involve privilege escalation, which could allow attackers to access sensitive data.

For each category, Apple evaluates reported vulnerabilities based on technical depth, potential risk to users, and quality of the report. The company also offers additional rewards for exceptional findings that have a significant impact on safety, even if they fall outside specified categories.

To ensure transparency in the bug bounty program, Apple has made the necessary resources available to researchers to help them fully engage with the PCC. The company has published a Private Cloud Compute Security Guide detailing PCC’s privacy protocols, authentication processes, and security mechanisms. Additionally, researchers are provided access to a VRE running on a Mac, where they can download, analyze, and test PCC software within a controlled setting. For those who want to take a deeper look, Apple has also made portions of PCC’s source code available on GitHub.