An Apple program that loans out special iPhones to security researchers has led to the discovery of 130 critical vulnerabilities.
Apple today reported the results from its iPhone Security Research Device Program, which dates back to 2019 and involves Cupertino supplying hacker-friendly iPhones built with fewer software restrictions to security researchers who hunt for bugs in the software.
It’s unclear how many phones Apple sent out, but it looks like the program is working as intended. “Since we launched the program in 2019, SRDP researchers have discovered 130 high impact, security-critical vulnerabilities and their insights have helped us implement novel mitigations to protect our platforms,” the company wrote in a blog post.
Apple is indicating that 37 vulnerabilities were found in the last six months. The researchers’ work also contributed to the company bolstering the security of the XNU kernel for iOS, the core part of the operating system that hackers often target to gain root control.
Cupertino made the announcement as it’s re-inviting qualified security researchers to apply for the program. The company has been giving out the hacker-friendly iPhones selectively because the devices come with shell access, allowing the owner to run any software they’d like. Users also have the freedom to customize the software kernel.
This unrestricted access makes the device both useful to security researchers and criminal hackers interested in uncovering iOS software vulnerabilities. Hence, Apple has only been loaning out a limited number of hacker-friendly iPhones each year and only to security researchers with a track record of finding software flaws.
In return, Apple has been compensating these researchers for their discoveries. “We’re pleased to have rewarded over 100 reports from our SRDP researchers, with multiple awards reaching $500,000 and a median award of nearly $18,000,” the company said.
In this new round for the Security Research Device Program, Apple plans on giving out a hacker-friendly iPhone 14 Pro to selected researchers. The company adds: “We’re also making SRDs available to select educators at the university level who would like to use it as a teaching tool to introduce computer science students to security research. Educators can request to authorize multiple users for use in their classroom or lab.”
The company is accepting applications for the program until Oct. 31.