Apple Security Research launches with website, blog, applications open for Research Device Program
Along with announcing its new Lockdown Mode feature this past summer, the company mentioned an upgraded bounty program, a donation to fund ethical security research, and more. Now Apple Security Research has officially launched with a dedicated website, blog, details on the bounty changes, applications open for the Research Device Programs, and more.
Apple launched the new security hub website led by two blog posts today.
“Our groundbreaking security technologies protect the users of over 1.8 billion active devices around the world. Hear about the latest advances in Apple security from our engineering teams, send us your own research, and work directly with us to be recognized and rewarded for helping keep our users safe.”
Apple Security Bounty changes
First up, Apple detailed the ways its security bounty program has been upgraded:
“In the past two and a half years since opening our program, we’re incredibly proud to have awarded researchers nearly $20 million in total payments, with an average payout of $40,000 in the Product category, and including 20 separate rewards over $100,000 for high-impact issues. To our knowledge, this makes Apple Security Bounty the fastest-growing bounty program in industry history.
During this time, our team has worked closely with researchers around the world, and we’ve learned about some things we can do better.
First, we’re responding much more quickly. At times we received many more submissions than we anticipated, so we’ve grown our team and worked hard to be able to complete an initial evaluation of nearly every report we receive within two weeks, and most within six days.
Next, we’re making it easier for researchers to report issues and communicate with our teams. Our Apple Security Research site includes a new way to send us research on the web and get real-time status updates. Just sign in with your Apple ID and follow the prompts to send us a detailed report. You can then track the progress of your report and communicate securely with Apple engineers as we investigate.”
…
“We’re also providing more transparency. Our site now includes detailed Apple Security Bounty information and evaluation criteria. Bounty categories include ranges and examples, so you can determine where you’d like to focus your research, and so you can anticipate whether your report qualifies for a particular reward. We’ve provided ranges for submissions that impact Apple services and infrastructure, as well as our products.”
Security Research Device applications open
Another announcement shared on the new website is that the window for Apple Security Research Device applications is open:
“Starting today through November 30, 2022, we’re also accepting applications for the 2023 Apple Security Research Device Program. This program features an iPhone exclusively dedicated to security research, and can help you get started, go deeper, or improve the efficiency of your research work with iOS.”
Security blog
Kicking off the first post of its new technical security blog, Apple shared about the “next generation of XNU memory safety: kalloc_type.”
“To inaugurate our security research blog, we present the first in a series of technical posts that delves into important memory safety upgrades in XNU, the kernel at the core of iPhone, iPad, and Mac. Because nearly all popular user devices today rely on code written in programming languages like C and C++ that are considered “memory-unsafe,” meaning that they don’t provide strong guarantees which prevent certain classes of software bugs, improving memory safety is an important objective for engineering teams across the industry.”
Read the full post on Apple’s new security site.
Open jobs in security at Apple
Additionally, Apple has a link to submit your resume and interest in security roles at the company.
More
At the bottom of Apple’s new security website, there are a few additional resources for developers, a link to the Apple Platform Security Guide, and Apple Support.
FTC: We use income earning auto affiliate links. More.