The iPhone Security Research Device Program allows researchers to work with Apple directly in discovering vulnerabilities while still receiving bounty payments. Sign-ups are open through October 31.
Apple launched the iPhone Security Research Device Program in 2019. The program reportedly works well, having discovered 130 high-profile security-critical vulnerabilities since its launch.
The program website says researchers interested in applying for the 2024 iPhone Security Research Device Program have until October 31. It has paid upwards of $500,000 in awards for discovered vulnerabilities on Security Research Devices — which are essentially jailbroken iPhones.
The Security Research Device is meant to be used in a controlled environment for security research only. Provided devices are still Apple's property and loaned on a 12-month renewable basis.
Apple's description of a Security Research Device:
Researchers can use a Security Research Device to:
- Install and boot custom kernel caches.
- Run arbitrary code with any entitlements, including as platform and as root outside the sandbox.
- Set NVRAM variables.
- Install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.
Select researchers and educators at the university level can apply for Security Research Devices. All submissions will be reviewed by the end of 2023, and selectees will be notified in early 2024.
Apply at Apple's security website.