Apple has launched a new Security Research website and in its initial postings, says that it is making it easier to report issues, and that it has already awarded almost $20 million in bounty rewards.
The new Apple Security Research site comes after many years of complaints about how Apple responds when a serious security issue is reported. Repeatedly, security experts have criticised Apple's parsimonious payments, have sometimes said Apple doesn't pay up, or is slow to fix bugs.
Now the new site is intended to make it simpler to find where to report serious bugs, and valid security consultants can also get access to a "specially fused iPhone" to help with research.
"The Security Research Device (SRD) is a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features," explains a blog post on the new site. "Shell access is available, and you can run any tools, choose your own entitlements, and even customize the kernel."
"Using the SRD allows you to confidently report all your findings to Apple without the risk of losing access to the inner layers of iOS security," it continues. "Plus, any vulnerabilities that you discover with the SRD are automatically considered for Apple Security Bounty."
Apple also says that it's "incredibly proud to have awarded researchers nearly $20 million in total payments," since the bounty program started. Those payments include "20 separate rewards over $100,000" and Apple says that "to our knowledge, this makes Apple Security Bounty the fastest-growing bounty program in industry history."
Alongside the claimed growing number of bounty payouts, Apple says that it is working to deal with reports of security issues much more quickly.
"At times we received many more submissions than we anticipated," says the company, "so we've grown our team and worked hard to be able to complete an initial evaluation of nearly every report we receive within two weeks, and most within six days."
Apple is accepting applications for the Security Research Device from now until November 30, 2022. Only a limited number of devices will be made available each year, and as well as stringent requirements for applicants, there are conditions on its use.
1 Comment
Considering the importance of iOS to the $2trn company that is Apple, I’d have thought the figure should be x10 or even x100 that quoted above