Apple launches new Security Research Device Program to help researchers find security vulnerabilities

While Apple’s software is usually praised for its overall security, there are still vulnerabilities and issues discovered from time-to-time. Making it easier for researchers to discover those issues is a good move, and Apple is doing just that.

On Wednesday, Apple officially launched a new Security Research Device Program, which is designed entirely around the idea of allowing researchers the ability to get a dedicated piece of hardware (an iPhone) that’s designed specifically for research. It includes unique code execution and containment policies, differing from standard iOS, but making security research even easier.

The Security Research Device (SRD) is meant for security research only, as described by Apple on its official landing page for the new resource. Researchers will be able to access the shell, and they will be allowed to run any development tools they need during research. They will also be able to choose entitlement as needed. Other than these key changes, the SRD will function as close to a standard iPhone as possible.

Apple adds:

  • If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party. If you didn’t use the SRD for any aspect of your work with a vulnerability, Apple strongly encourages (and rewards, through the Apple Security Bounty) that you report the vulnerability, but you are not required to do so.
  • If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.

Apple notes that these SRD units are handed out on a 12-month renewable basis, and researchers must apply to get the unit. The SRD will remain the property of Apple throughout. The company says the unit is not meant for daily carry, and “must remain on the premises of program participants at all times”.

The eligibility requirements

  • Be a membership Account Holder in the Apple Developer Program.
  • Have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.
  • Be based in an eligible country or region.*

Participation is not available if you are:

  • In any U.S. embargoed countries, on the U.S. Treasury Department’s list of Specially Designated Nationals, on the U.S. Department of Commerce Denied Persons List or Entity List, or on any other restricted party lists.
  • Under the legal age of majority in the jurisdiction in which you reside (18 years of age in many countries).
  • Employed by Apple currently or in the last 12 months.

If you are a researcher and want to apply for the SRD, you can do so here.