A free iPhone from Apple? It’s possible, but there are some catches

A free iPhone from Apple? It's possible, but there are some catches

Who wouldn’t want the latest and greatest iPhone for free?

Well, if you’re a security researcher then you might be able to get just that, by joining the Apple Security Research Device (SRD) Program.

Apple wants researchers to find and responsibly report vulnerabilities in iOS’s security, and researchers are much more likely to do that if they have the actual hardware in their hands.

But don’t get too excited thinking you’ll be able to get your very own Apple iPhone for free by signing up for the initiative, as there are some caveats.

Firstly, it isn’t an ordinary iPhone.

In Apple’s own words it has “unique code execution and containment policies,” and provides a “controlled setting for security research only.”

Note that “only” – although the SRD operates as much like a standard iPhone as possible, Apple says that it is not personal use, shouldn’t be used as your day-to-day phone, and is intended for security research only Furthermore, it “must remain on the premises of program participants at all times.”

In other words, you’re not going to be showing off how you can access shell on your iPhone to your mates down the pub.

Sign up to our free newsletter.
Security news, advice, and tips.

But if you’re happy with the rules and are accepted onto the Security Research Device Program then a free Apple iPhone might be yours.

Well, not quite “yours.” You see, SRDs remain Apple’s property, and are only leant to you on a 12-month renewable basis.

And before you get too excited, there is some other small print:

To be eligible for the Security Research Device Program, you must:

  • Be a membership Account Holder in the Apple Developer Program.
  • Have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.
  • Be based in an eligible country or region.

Participation is not allowed if you are:

  • In any U.S. embargoed countries, on the U.S. Treasury Department’s list of Specially Designated Nationals, on the U.S. Department of Commerce Denied Persons List or Entity List, or on any other restricted party lists.
  • Under the legal age of majority in the jurisdiction in which you reside (18 years of age in many countries).
  • Employed by Apple currently or in the last 12 months.

And, of course, there are likely to be more people interested in applying for the SRD program than there are spaces.

But if you do use the SRD to find an iPhone vulnerability then there could be some not insignificant amounts of cash to be made.

Under the rules of the initiative, you must report vulnerabilities to Apple (and to the relevant third-party vendor if it’s in their code). Apple would also like it if you reported any vulnerabilities you found without using the SRD, but there’s no compulsion to do that.

Any vulnerabilities found and responsibly reported to Apple are automatically considered for a bug bounty – which could earn you hundreds of thousands of dollars.

For Apple the cost of loaning an Apple iPhone to a security researcher is insignificant, but the benefits could be enormous.

Good luck bug hunters.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.