Apple today launched a Security Research Device Program to help third parties find iPhone and iPad vulnerabilities. Google’s Project Zero team says its won’t be able to use the modified iOS devices because the program imposes restrictions that prevent 90-day disclosures.
Project Zero is widely regarded for finding major vulnerabilities, but criticized by some in the industry for maintaining a relatively fast disclosure period. The Google team will publicly detail a security issue 90 days after privately reporting even if it hasn’t been patched yet. This hard line is meant to encourage fast updates for end users.
Project Zero team lead Ben Hawkes this afternoon tweeted about the “vulnerability disclosure restrictions,” and how it seems to be “specifically designed to exclude Project Zero and other researchers who use a 90-day policy.”
The sign-up page for Security Research Devices (SRD) explicitly notes how “Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). That might be longer than Project Zero’s usual disclosure period, though the team this year started trialing a full 90-day period before disclosing vulnerabilities.
If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.
Hawkes notes how Google asked for a “security research test device in 2014 or early 2015.” Last August, Apple announced that the program at the Black Hat conference, and opened up applications today. These special iPhones, which have shell access and can run custom tools, are “provided on a 12-month renewable basis and remain the property of Apple.”
In that period, Google has “reported over 350 security vulnerabilities to Apple,” and Project Zero will continue that research. However, they are “pretty disappointed” about not being able to use SRDs for their work. As 9to5Mac reported this morning:
Access to “rooted” hardware enables security researchers to inspect core parts of the operating system more easily, which helps to track down exploits in the kernel and other low-level areas of the iOS operating system.
Apple last year took particular issue with Project Zero calling an iOS vulnerability targeting the Uighur community “one of the largest attacks against iPhone users ever.”
FTC: We use income earning auto affiliate links. More.