Apple just launched a new website that’s dedicated to macOS and iOS security and there are already two blog posts that provide examples of what to expect, one providing a deep dive into memory allocation within the XNU kernel at the heart of all Apple devices, and another discussing the improved security bounty process.
The new website will undoubtedly become a critical resource for Apple security researchers, both providing information and serving as a hub for submitting bounties. The Apple Security Research website is also where you can apply for an official Apple Security Research Device (SRD) to help with identifying vulnerabilities by providing special access to what are normally protected areas of iOS.
Since macOS, iOS, iPadOS, watchOS, and tvOS are all based on the same core software libraries, a security flaw in one could affect others. Apple explains that an iPhone that it has set up as an SRD remains Apple’s property and is provided on a renewable, annual basis for security research only and should be used in a controlled setting.
In addition to the SRD, Apple provides a greater incentive for security researchers by making it easier to report any vulnerabilities found in macOS, bundled apps, and other Apple operating systems. Apple claims its engineers will review and investigate every submission as well as post notifications to acknowledge bugs and let you know if you qualify for Apple’s Security Bounty program.
Apple’s bug bounty program pays out millions of dollars but it has proven to be a frustrating experience for some security researchers and developers. Perhaps that will change with the launch of the new Apple Security Research website.