Apple is offering a top reward of up to $1 million for those who can demonstrate significant breaches in its Private Cloud Compute (PCC) platform, marking it one of the largest bounties in the industry.
In a move to enhance transparency and encourage external analysis, Apple has now made the resources for its PCC Virtual Research Environment (VRE) accessible to the public.
The VRE is a specialized set of tools designed to allow researchers to scrutinize the security and privacy mechanisms of Apple’s Private Cloud Compute platform. With this environment, researchers can go beyond simply reading about the platform’s security features and instead perform in-depth analyses to verify Apple’s privacy claims for themselves.
Apple originally provided access to the VRE to select third-party auditors and security researchers for testing. By expanding access, Apple is calling on the global security community to participate in ensuring that PCC maintains the highest standards of privacy and security.
Along with the VRE’s public release, Apple has announced a significant expansion of its existing Apple Security Bounty program to include PCC vulnerabilities. Researchers who discover and report issues that compromise the security and privacy of the PCC platform will now be eligible for substantial rewards.
Apple has introduced specific bounty categories related to PCC, which address the most critical potential threats identified in the company’s latest Security Guide.
The most eye-catching element of Apple’s announcement is the $1 million top prize, which will be awarded for vulnerabilities that result in remote code execution or unauthorized access to user data outside the PCC trust boundary.
This maximum reward is offered for scenarios where an attacker can gain control over sensitive request data or execute arbitrary code on the PCC platform without proper entitlements.
For vulnerabilities discovered from privileged network positions, the rewards can reach up to $150,000. These types of flaws might involve unauthorized access to user request data or accidental data disclosure due to configuration errors.
Researchers who discover qualifying vulnerabilities can submit their findings via Apple’s Security Bounty page.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
It's Me's friend in North Korea want's in…