Google's Project Zero team will not apply for Apple's SRD program

Google's Project Zero team will not apply for 

Apple's SRD program

 

Other security researchers have expressed similar intentions to skip the Apple SRD after the program rules give Apple full control of the vulnerability disclosure process.

Some of the top names in the iPhone Vulnerability Research field have announced plans to skip Apple's new Security Research Device (SRD) program today due to Apple 's restrictive disclosure rules that effectively muzzle security researchers.

The list includes Project Zero (Google's elite bug-hunting team), Will Strafach (CEO of Guardian Mobile Security), ZecOps (mobile security firm that has recently discovered a series of iOS attacks) and Axi0mX (iOS vulnerability researcher and author of Checkm8 iOS exploit).

 

What's the Apple SRD program?

The Security Research Device (SRD) program is unique among smartphone manufacturers. Through the SRD program, Apple has promised to provide security researchers with pre-sale iPhones.

These iPhones are modified to have fewer restrictions and allow deeper access to the iOS operating system and hardware of the device, so security researchers can search for bugs that they would not normally be able to detect on standard iPhones where the phone's default security features prevent security tools from looking deeper into the phone.

Apple officially announced the SRD program in December 2019, when it also extended its bug bounty program to include more of its operating systems and platforms.

However, while the company tampered with the program last year, it wasn't until today that Apple launched it by publishing an official SRD website and emailing selected security researchers and bug hunters to invite them to apply for the review process needed to receive an untapped iPhone.

 

New Restrictive Rule

This new website also included the official rules of the SRD program, which security researchers have not had the opportunity to review in detail.

But while Apple's SRD announcement was welcomed by the security community with joy last year, considering it a first step in the right direction, they weren't very happy with Apple today.

According to complaints shared by social media, one specific clause was wrong for most security researchers:

"If you report a vulnerability that affects Apple products, Apple will provide you with a release date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve any vulnerabilities as soon as possible. You can not discuss the vulnerability with others until the release date."

The clause effectively makes it possible for Apple to muzzle security researchers. The clause gives Apple full control of the process of disclosure of vulnerabilities. It allows the iPhone maker to set the release date when security researchers are allowed to talk or publish anything about vulnerabilities found in iOS and iPhone while part of the SRD program.

Many security researchers are now afraid that Apple will abuse this clause to delay major patches and drag its feet on delivering much-needed security updates by postponing the release date after which they are allowed to talk about iOS bugs. Others fear that Apple will use this clause to silence their work and prevent them from even publishing their work.

 

Project Zero and others will decide not to apply

The first to notice and understand the implications of this clause was Ben Hawkers, leader of the Google Project Zero team.

"It looks like we're not going to be able to use the Apple 'Security Research Device' because of the vulnerability restrictions that seem specifically designed to exclude Project Zero and other researchers using a 90-day policy," Hawkes said on Twitter today.

Hawkes' tweet received a lot of attention from the infosec community, and other security researchers soon followed the team's decision. Speaking to ZDNet's sister site, CNET, Will Strafach also said that he was not going to join the program because of the same clause.

On Twitter, the cybersecurity firm ZecOps also announced that it would skip the SRD program and continue to hack iPhones in the old fashion way.

In a conversation with ZDNet, security researcher Axi0mX said they were thinking of not participating as well.

"Disclosure time limits are standard practice in the industry. They are necessary," said the researcher.

"Apple requires researchers to wait for an unlimited amount of time, at Apple's discretion, before any bugs found in the Security Research Device Program can be revealed. There is no time limit. This is a poison pill," he added.

Alex Stamos, Facebook's former Chief Information Security Officer, also criticized Apple 's move, which was part of a larger set of decisions that the company has taken in recent months against the cybersecurity and vulnerability research community — which also included a lawsuit against a mobile device virtualization company that helped security researchers track iOS bugs.

It's one thing to see no-name security researchers talking about a security program, but it's another thing to see the industry's biggest names attacking one.

 

Apple Security Programs are not well viewed

The fear that Apple might abuse the rules of the SRD program to bury important iOS bugs and research is justified for those who followed Apple's security programs. Apple has previously been accused of the same practice.

In a series of tweets published in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security work.

"I 'm thinking about withdrawing from the Apple Security Bounty program," said Johnson. "I don't see any evidence that Apple is serious about the program. I've heard of just 1 bounty payment, and the bug wasn't Mac-specific. Also, Apple Product Security has ignored my last email to them for weeks.

"Apple announced the program in August, did not open it until a few days before Christmas and has not yet paid a single Mac security researcher to my knowledge. This is a joke. I think the goal is to keep researchers quiet about bugs for as long as possible, "Johnson said.