Apple has announced that through October 31, the company is inviting security researchers to apply for the 2024 iPhone Security Research Device Program (SRDP) to “jump-start their iPhone research, work with our security teams to help protect users, and qualify for Apple Security Bounty rewards.”
“Since we launched the program in 2019, SRDP researchers have discovered 130 high impact, security-critical vulnerabilities and their insights have helped us implement novel mitigations to protect our platforms,” Apple says. “In just the past six months, they’ve received 37 CVE credits for their findings, and their work has directly contributed to security improvements in areas such as the XNU kernel, kernel extensions, and XPC services around the system.”
Security issues that are found with a Security Research Device are also eligible for Apple Security Bounty. Apple says it’s rewarded over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000.
Among other features, researchers can use a Security Research Device (SRD) to:
° Install and boot custom kernel caches;
° Run arbitrary code with any entitlements, including as platform and as root outside the sandbox;
° Set NVRAM variables;
° Install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.
Even when reported vulnerabilities are patched, the SRD makes it possible to continue security research on an updated device. All SRDP participants are encouraged to ask questions and exchange detailed feedback with Apple security engineers.
Each year, Apple selects a limited number of security researchers to receive an SRD through an application process that’s primarily based on a track record in security research, including on platforms other than iPhone. The tech giant is also making SRDs available to select educators at the university level who would like to use it as a teaching tool to introduce computer science students to security research. Educators can request to authorize multiple users for use in their classroom or lab.
Apple’s online application is open until October 31. The company says it will review all submissions by the end of the year and notify selected participants in early 2024. To learn more about program eligibility and apply for a Security Research Device, visit https://security.apple.com/research-device.