Apple is inviting security researchers to apply for its iPhone Security Research Device Program (SRDP). It is a part of Apple’s bug bounty program where security researchers are awarded cash for finding security flaws in the iPhone. On its support page, Apple revealed that security researchers can apply for the 2024 iPhone SRDP and “work with our security teams to help protect users, and qualify for Apple Security Bounty rewards.”
The support page also states that in the last four years SRDP researchers have discovered 130 high impact, security-critical vulnerabilities and “their insights have helped us implement novel mitigations to protect our platforms.”
What do security researchers get?
Security issues that are found with a Security Research Device are also eligible for Apple Security Bounty. “We’re pleased to have rewarded over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000,” Apple notes on the support page.
What can security researchers do?
The researchers will get a specially-built hardware variant of iPhone 14 Pro that’s designed exclusively for security research, with tooling and options that allow researchers to configure or disable many advanced security protections of iOS that cannot be disabled on normal iPhone hardware in the hands of users.
Furthermore, researchers can use a Security Research Device (SRD) to install and boot custom kernel caches; run arbitrary code with any entitlements, including as platform and as root outside the sandbox; set NVRAM variables; install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.
It’s not as if the security flaws reported are patched, the special iPhone becomes worthless. Researched can continue to work on an updated device. “All SRDP participants are encouraged to ask questions and exchange detailed feedback with Apple security engineers,” noted Apple on the web page.
How are security researchers selected?
Apple selects a limited number of security researchers to receive an SRD through an application process that’s primarily based on a track record in security research, including on platforms other than iPhone. “We’re also making SRDs available to select educators at the university level who would like to use it as a teaching tool to introduce computer science students to security research,” the company noted.
The online application is open until October 31, 2023. “We’ll review all submissions by the end of the year and notify selected participants in early 2024,” added Apple on the support page.
The support page also states that in the last four years SRDP researchers have discovered 130 high impact, security-critical vulnerabilities and “their insights have helped us implement novel mitigations to protect our platforms.”
What do security researchers get?
Security issues that are found with a Security Research Device are also eligible for Apple Security Bounty. “We’re pleased to have rewarded over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000,” Apple notes on the support page.
What can security researchers do?
The researchers will get a specially-built hardware variant of iPhone 14 Pro that’s designed exclusively for security research, with tooling and options that allow researchers to configure or disable many advanced security protections of iOS that cannot be disabled on normal iPhone hardware in the hands of users.
Furthermore, researchers can use a Security Research Device (SRD) to install and boot custom kernel caches; run arbitrary code with any entitlements, including as platform and as root outside the sandbox; set NVRAM variables; install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.
It’s not as if the security flaws reported are patched, the special iPhone becomes worthless. Researched can continue to work on an updated device. “All SRDP participants are encouraged to ask questions and exchange detailed feedback with Apple security engineers,” noted Apple on the web page.
How are security researchers selected?
Apple selects a limited number of security researchers to receive an SRD through an application process that’s primarily based on a track record in security research, including on platforms other than iPhone. “We’re also making SRDs available to select educators at the university level who would like to use it as a teaching tool to introduce computer science students to security research,” the company noted.
The online application is open until October 31, 2023. “We’ll review all submissions by the end of the year and notify selected participants in early 2024,” added Apple on the support page.