Apple launched the Security Research Device (SRD) Program this week to help improve security for iOS users and to bring more researchers to the iPhone.
It features an iPhone dedicated exclusively to security research, with unique code execution and containment policies. According to Apple, it is not meant for personal use or daily carry, and must remain on the premises of program participants at all times and usage must be authorized by Apple.
Users who find any vulnerabilities through a SRD must promptly report it to Apple or to an appropriate third party if the code belongs to them.
Those who find one outside of an SRD are encouraged to share it through the Apple Security Bounty, which is offering rewards. Meanwhile, vulnerabilities found with an SRD are automatically considered for reward through the Apple Security Bounty. When a report for a vulnerability is issued, Apple will provide a publication date in which it will resolve the issue.
To be eligible for the Security Device Research Program, participants must be membership account holders in the Apple Developer Program and have a proven track record of success in finding security issues on Apple platforms or other modern operating systems and be based in an eligible country or region listed here.
Also, participants can’t be in any U.S.-embargoed countries, must be over the legal age of majority in their jurisdiction, and can’t be employed by Apple currently or in the last 12 months.
If enrolling as an organization, participants need to have the authority to accept legal agreements on behalf of their organization and will need to list the names of everyone who will have access to an SRD.
