Apple officially announced yesterday (August 30) that it will start accepting applications for the 2024 iPhone Security Research Device Program. iOS security researchers can apply for the Security Research Device SRD before the end of October.
The SRD device is an iPhone 14Pro specially provided to security researchers. This device has special hardware and software designed for security research, so that it is easier to discover key vulnerabilities of the iOS system. As long as the vulnerabilities discovered by using SRD, Apple will consider giving a certain security vulnerability bounty.
After obtaining a 12-month (renewable) SRD, researchers can use it to:
- Install and start a custom kernel cache
- Run arbitrary code with any privilege, including outside the sandbox as platform and root
- Set NVRAM variables
- Install and launch custom firmware for the new Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM) in iOS 17
Apple added that iPhones provided through the "Security Research Equipment Program" can only be used by authorized personnel and must not leave the security research organization's premises.
Equipment application deadline is October 31
From now until October 31, Apple is inviting security researchers to apply for the 2024 iPhone Security Research Device Program (SRDP). Work with the Apple security team to help protect users and earn Apple Security Bounty rewards for finding vulnerabilities.
Each year Apple selects a limited number of security researchers to receive SRDs through an application process based primarily on their track record in security research, including on platforms other than the iPhone.
Apple is also allowing colleges to apply for access to the 2024 iPhone Security Research Device program to use it as a teaching aid in computer science classes.
All submitted applications will be fully evaluated by the end of this year, and the list of selected participants is planned to be announced in early 2024.
You can find out more about eligibility for the program and submit an application for a security research device on the Apple Security Research Device Program page.
Apple Security Research Program (SRDP) launched as early as 2019
The Apple Security Research Program (SRDP) went live in 2019, and researchers have discovered 130 high-impact security vulnerabilities through the program. Apple said the researchers helped them implement "novel fixes" to protect iOS devices.
Over the past six months, program participants have earned 37 CVE credits for contributing to improvements to the XNU kernel, kernel extensions, and XPC services.
Researchers participating in the SRDP are eligible for an Apple Security Grant. Apple has awarded more than 100 reports from SRDP researchers, and says "multiple awards" amounted to $500,000, with a median award of nearly $18,000.