Apple has announced a new Security Research Device Program under which bug hunters will be given hacker-friendly iPhones to help them find and report security vulnerabilities that the company can fix.
“As part of Apple’s commitment to security, this program is designed to help improve security for all iOS users, bring more researchers to iPhone, and improve efficiency for those who already work on iOS security. It features an iPhone dedicated exclusively to security research, with unique code execution and containment policies,” the company says.
These special iPhones that are less locked down than consumer devices will be given to skilled and vetted researchers. This will allow security researchers to gain unprecedented access to the inner workings of the device, making it easier for them to find security vulnerabilities and weaknesses.
How It Works
Apple says the Security Research Device (SRD) offers shell access to let researchers run any tools or entitlements. Otherwise, the SRD behaves as similarly to a standard iPhone as possible in order to be a representative research target. The SRDs will be provided to bug hunters on a 12-month renewable basis and remain the property of Apple.
“They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times,” the company said. “Access to and use of SRDs must be limited to people authorized by Apple.”
If the bug hunter finds a vulnerability with the SRD, they must be “promptly” reported to Apple or a relevant third-party software developer.
If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party. If you didn’t use the SRD for any aspect of your work with a vulnerability, Apple strongly encourages (and rewards, through the Apple Security Bounty) that you report the vulnerability, but you are not required to do so.
If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.
Vulnerabilities found with an SRD are automatically considered for a reward through the Apple Security Bounty.
Apple is accepting applications for the Security Research Device Program. However, not all security researchers are eligible and the participation in the Security Research Device Programme is subject to review, said Apple.
“Device availability is limited. Devices will not be available for all qualified applicants in the initial application period. Qualified applicants who do not receive a device during this period will automatically be considered during the next application period in 2021,” the company added.
To be eligible for the program, one must be a membership Account Holder in the Apple Developer Program, have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.
The program is only open to researchers based in Australia, Austria, Belgium, Canada, Czech Republic, Denmark, Finland, France, Germany, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, Norway, Poland, Portugal, Spain, Sweden, Switzerland, UK, and the U.S.
Those interested in applying for the Security Research Device Program can do so by clicking Apple’s developer page over here.
Besides the new initiative, Apple also has an existing bug bounty programme that gives payouts of up to $1 million to researchers for finding vulnerabilities in publicly available versions of iOS, iPad, macOS, tvOS, or watchOS.
