Who wouldn’t want the latest and greatest iPhone for free?
Well, if you’re a security researcher then you might be able to get just that, by joining the Apple Security Research Device (SRD) Program.
Apple wants researchers to find and responsibly report vulnerabilities in iOS’s security, and researchers are much more likely to do that if they have the actual hardware in their hands.
But don’t get too excited thinking you’ll be able to get your very own Apple iPhone for free by signing up for the initiative, as there are some caveats.
Firstly, it isn’t an ordinary iPhone.
In Apple’s own words it has “unique code execution and containment policies,” and provides a “controlled setting for security research only.”
Note that “only” – although the SRD operates as much like a standard iPhone as possible, Apple says that it is not personal use, shouldn’t be used as your day-to-day phone, and is intended for security research only Furthermore, it “must remain on the premises of program participants at all times.”
In other words, you’re not going to be showing off how you can access shell on your iPhone to your mates down the pub.
But if you’re happy with the rules and are accepted onto the Security Research Device Program then a free Apple iPhone might be yours.
Well, not quite “yours.” You see, SRDs remain Apple’s property, and are only leant to you on a 12-month renewable basis.
And before you get too excited, there is some other small print:
To be eligible for the Security Research Device Program, you must:
- Be a membership Account Holder in the Apple Developer Program.
- Have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.
- Be based in an eligible country or region.
Participation is not allowed if you are:
- In any U.S. embargoed countries, on the U.S. Treasury Department’s list of Specially Designated Nationals, on the U.S. Department of Commerce Denied Persons List or Entity List, or on any other restricted party lists.
- Under the legal age of majority in the jurisdiction in which you reside (18 years of age in many countries).
- Employed by Apple currently or in the last 12 months.
And, of course, there are likely to be more people interested in applying for the SRD program than there are spaces.
But if you do use the SRD to find an iPhone vulnerability then there could be some not insignificant amounts of cash to be made.
Under the rules of the initiative, you must report vulnerabilities to Apple (and to the relevant third-party vendor if it’s in their code). Apple would also like it if you reported any vulnerabilities you found without using the SRD, but there’s no compulsion to do that.
Any vulnerabilities found and responsibly reported to Apple are automatically considered for a bug bounty – which could earn you hundreds of thousands of dollars.
For Apple the cost of loaning an Apple iPhone to a security researcher is insignificant, but the benefits could be enormous.
Good luck bug hunters.