Apple on Wednesday officially launched its iOS Security Research Device (SRD) program — a significant milestone for the white-hat hacker community, which has made significant strides in recent years gaining the trust of software developers, tech manufacturers and website operators that previously were reluctant to work with outsiders on security issues.
Under the terms of the program, Apple will send trusted hackers a research iPhone that they can study and probe to hunt for potentially dangerous vulnerabilities and report them, with an opportunity to earn a bug bounty reward. Many mobile security expert contend that Apple’s newfound open-mindedness should ultimately result in a more secure product.
“The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result,” said Casey Ellis, CTO and founder of vulnerability disclosure platform provider Bugcrowd.
In an online company announcement, Apple said that the research iPhones will be distributed exclusively for the purposes of security research in controlled settings, and will feature unique code execution and containment policies. Vetted and approved researchers can keep the phones on a 12-month renewable basis, but the devices remain owned by Apple.
“If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party,” Apple said in its announcement. “If you didn’t use the SRD for any aspect of your work with a vulnerability, Apple strongly encourages (and rewards, through the Apple Security Bounty) that you report the vulnerability, but you are not required to do so.”
Ellis is hopeful that additional device-makers will follow suit.
“To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s playbook and work with outside researchers,” said Ellis. “Speed is the natural enemy of security in software development, and no organization is safe, even companies with in-house security teams.”