Apple is launching a new Apple Security Research Device program today to provide security researchers with dedicated security research iPhones with unique guidelines for code execution and containment.
Apple announced last year that it would give security researchers access to “special” iPhones that would make it easier for them to find vulnerabilities and vulnerabilities to make iOS devices more secure. This appears to be the program that is currently being implemented.
The iPhones that Apple security researchers make available are less locked than consumer devices and make it easier to find serious security holes.
According to Apple, the Security Research Device (SRD) provides shell access and can run any tools or permissions. Apart from that, however, it behaves similarly to a standard iPhone. SRDs are made available to security researchers on a renewable 12-month basis and remain the property of Apple. Errors discovered with the SRD must be reported “immediately” to Apple or a relevant third party.
If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must report it immediately to Apple and, if the error is contained in a third-party code, the appropriate third-party. If you have not used the SRD for any aspect of your work with a vulnerability, Apple strongly recommends (and rewards it through the Apple Security Bounty) reporting the vulnerability, but it is not required.
If you report a vulnerability that affects Apple products, Apple will give you a release date (usually the date that Apple releases the update to correct the problem). Apple will work in good faith to resolve any vulnerability as soon as possible. Until the release date, you cannot discuss the vulnerability with others.
Apple accepts applications for the Security Research Device Program. Requirements include participation in the Apple Developer Program and track record of finding security issues on Apple platforms.
Those who participate in the program have access to extensive documentation and a special forum with Apple engineers TechCrunch that it wants the program to be a collaboration.
The Security Research Device Program is run in conjunction with the Bug Bounty program. Hackers can file bug reports with Apple and receive payouts of up to $ 1 million, with bonuses for the worst vulnerabilities.