Apple on Wednesday announced that it is now accepting applications for the 2024 iPhone Security Research Device Program (SRDP).
Intended for security researchers looking to identify vulnerabilities in Apple’s mobile devices and earn rewards for eligible findings, the SRDP program was launched in 2019.
Since its inception, the program has resulted in the discovery of 130 critical-severity vulnerabilities, with 37 CVE identifiers issued over the past six months alone, Apple says.
The tech giant claims that the reports received as part of the program have helped it implement novel mitigations in its operating systems, including in areas such as kernel and kernel extensions, and XPC services (helper tools for Apple’s lightweight mechanism for basic interprocess communication).
Security researchers accepted in the 2024 SRDP will receive specially-built hardware variants of the iPhone 14 Pro that are specifically designed for security research.
These iPhones, which Apple calls Security Research Devices (SRDs), feature tools and options enabling researchers to configure or disable iOS’s advanced security protections.
These devices allow researchers to install custom kernel caches, run arbitrary code with various options, change NVRAM variables, and “install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17”.
Security researchers reporting issues identified using an SRD are also eligible for receiving rewards through Apple’s bug bounty program.
“We’re pleased to have rewarded over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000,” the tech giant says.
Each year, Apple provides SRDs to a limited number of security researchers who apply to the program and who are selected based on their track record, including on other platforms.
This year, interested researchers have until October 31, 2023, to apply for the program. Apple says it will notify the selected participants by the end of the year.
Apple is also giving SRDs to select academics, to use them as teaching tools in security research classes.
Related: Apple Lists APIs That Developers Can Only Use for Good Reason
Related: Apple Patches Another Kernel Flaw Exploited in ‘Operation Triangulation’ Attacks
Related: Apple’s Rapid Security Response Patches Causing Website Access Issues
