Apple's Security Research Device program is now open to select bug bounty hunters.
Apple’s Security Research Device program is now open to select researchers – but some are irked by the program’s vulnerability disclosure restrictions.
Apple’s long anticipated Security Research Device program has launched, giving select security researchers access to testable iPhones that will make it easier for them to find iOS vulnerabilities.
The program offers security researchers specially configured iPhones with shell access, and special features such as advanced debug capabilities. The devices behave “as closely to a standard iPhone as possible in order to be a representative research target,” said Apple.
“As part of Apple’s commitment to security, this program is designed to help improve security for all iOS users, bring more researchers to iPhone, and improve efficiency for those who already work on iOS security,” according to Apple in a Wednesday announcement. “It features an iPhone dedicated exclusively to security research, with unique code execution and containment policies.”
To be eligible for the program, researchers must be a membership Account Holder in the Apple Developer Program and have a “proven track record of success” in finding security issues on Apple platforms.
The devices are provided on a 12-month renewable basis, are not meant for personal use, and must remain on the premises of program participants at all times, according to Apple.
“If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party,” according to Apple.
The Security Research Device program has been praised by some in the security space as a “good step forward” for the iPhone maker, which up until last summer had a historically restricted bug bounty program.
Patrick Wardle, security researcher with Jamf, said that the new program will make the analysis of third-party apps much easier – which is “something that may directly impact end users in a positive way.”
“I’m happy that Apple is moving forward with this program,” Wardle told Threatpost. “Though the devices may not be fully open (i.e. probably won’t have the ability to boot custom kernels, etc) and there are some legal restraints (i.e. any bug found must be reported to Apple), I still think it’s a good step forward.”
On the flip side, however, Google Project Zero’s security research team, Ben Hawkes, took to Twitter to air complaints about the program’s vulnerability disclosure restrictions.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy,” he said.
Apple’s program policy says that if researchers report a vulnerability affecting Apple products, Apple will provide them with a publication date (usually the date on which Apple releases the update to resolve the issue).
“Apple will work in good faith to resolve each vulnerability as soon as practical,” according to the policy. “Until the publication date, you cannot discuss the vulnerability with others.”
Threatpost has reached out to Apple for further clarification on this policy.
Hawkes said Google Project Zero will continue to research Apple platforms and provide Apple with their findings. “But I’ll confess, I’m pretty disappointed,” he said.
Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup.
Apple has fixed a critical flaw in its Sign in with Apple feature, which could have been abused by attackers to takeover victims' third-party applications.
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots
At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.
The move is a distinct change in direction for the app, which has been criticized and even banned for its security practices. To submit bugs to be evaluated under the program, researchers can use an online form, Wu said.