A year after announcing the Security Research Device Program, Apple has started accepting applications for special iPhones for security researchers to use to suss out bugs and exploits.
Apple notes that the iPhone devices provided for the Apple Security Research Device Program are "intended for use in a controlled setting for security research only." The company notes that Shell access on the supplied iPhones is available, and researchers will be able to run any tools and choose entitlements. Otherwise, the SRD behaves as closely to a standard iPhone as possible in order to be a "representative research target."
The devices are provided on a 12-month renewable basis and remain the property of Apple. They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times.
Furthermore, Access to and use of the special iPhones must be limited to people authorized by Apple.
The devices are only available to Apple Developer Program subscribers with a proven track record of success in finding security issues on Apple platforms, or "other modern operating systems and platforms." Apple is specifically disallowing US-embargoed countries, or those who are in Apple's employ, or have been in the last year.
Applications for the devices are being accepted at the program web page.
Apple initially announced the program at the 2019 Black Hat conference. At the time, Apple said that iPhones doled at as part of the program will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.
Apple first introduced a bug bounty scheme in 2016, offering to pay researchers for finding exploits and flaws in iOS that could defeat the security of iPhones and iPads. Throughout its lifetime, there have been complaints about Apple failing to make a similar program that works across its other operating systems.
At the same Black Hat conference that the Apple Security Research Device Program was announced, Apple also jacked up bounties paid for bugs.
A vulnerability providing zero-click access to high-value user data over a network without user interaction offers a maximum payout of $500,000. At the top of the list is a full-chain kernel code execution attack that can persist, performed without a user's interaction at all, which can pay out up to $1 million.
Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.
At a maximum possible earnings of $1.5 million with the pre-release bonus, the bug bounty is a considerable step up in payments for Apple. Previously the maximum possible payment was $200,000.