Apple’s new iPhone bug-hunting scheme branded a “poison pill"

Researchers baulk at hefty restrictions such as being bound to silence during a limitless disclosure window

Researchers have expressed frustration at the terms of an Apple bug bounty scheme in which special iPhones will be shipped out in the hope device and iOS vulnerabilities can be fixed more effectively.

Some voices in the security community have lamented restrictions in the Security Research Device Program (SRDP) which prevent them from publicly or privately disclosing any flaws until Apple sets its own disclosure date. This restriction, in addition to strict rules on how the iPhones can be used, has led some to describe the scheme as a "poison pill".

This SRDP was first announced in August last year at the Black Hat security conference, with no suggestion as to why it’s taken so long for the programme to be launched. Apple said at the time that it wanted to attract some of the most exceptional researchers that have been focusing their time on other platforms.

These devices are “dedicated exclusively to security research”, with unique code execution and containment policies. They also behave as closely to standard iPhones as possible, although shell access is available and researchers can run any tools on them.

They are not meant for personal use or daily carry, however, and must remain on the premises of participants at all times. All verified vulnerabilities, meanwhile, are legally required to be reported to Apple immediately, or the appropriate third party if the bug is found in third-party code.

Apple will then provide participants with a publication date, up to which point participants are restricted from discussing the vulnerability with anybody else, let alone in public.

This aspect of the scheme is proving to be a major sticking point for many, given Apple hasn’t committed to any particular disclosure window or timeline. Effectively, that means researchers can be ‘gagged’ for an indefinite period until Apple decides to set a publication date.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

“Apple has no reason to give you a publication date until they decide they want to give you one,” one iOS jailbreaker told IT Pro, adding in a tweet that that participation was “a poison pill”.

“They could take as long as they want. You could be under NDA essentially forever. Disclosure deadlines are standard practice in the industry. They give vendors an incentive to address issues promptly.”

They also highlighted an explanation from Google as to why its Project Zero research programme has a 90-day disclosure window, chiefly, that it incentivises developers to fix vulnerabilities found in their code at a much faster pace.

Apple insists that it will work in good faith to resolve each vulnerability as soon as is practical, and that it will usually provide participating researchers with a publication date.

Researchers who are already a member of the Apple Developer Program can apply to participate in the programme, and will soon begin receiving special iPhones on a 12-month renewable loan should they qualify.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021