BEIJING, July 24 (Xinhua) — Some of the biggest teams and individuals in the field of iPhone vulnerability research, including Google’s Project Zero, said today they will not participate in Apple’s newly announced SRD security plan because of Apple’s tough vulnerability disclosure rules. These teams and individuals include Google Project Zero, ZecOps, Axi0mX and Will Strafach, CEO of guardian, a mobile security company.
Apple’s SRD program is unique among handset makers. Under the plan, Apple will provide security researchers with a special version of the iPhone to help researchers find loopholes in it. Apple officially announced its SRD program in December 2019.
While the security community cheered Apple’s announcement last year of its SRD program as a first step on the right path, they were unhappy with Apple’s sRD rules announced today.
According to the security community’s spits on social media, most security researchers are unhappy with the provision that, after reporting a security vulnerability affecting Apple’s products, Apple will determine the date on which security researchers can publicly disclose the vulnerability (usually, Apple releases patched software that fixes the vulnerability on the same day). Apple will fix each vulnerability as early as possible. Security researchers are not allowed to discuss vulnerabilities with others or institutions until the specified date.
The provision allows Apple to “shut up” security researchers and gives it full control over the disclosure process.
Many security researchers worry that Apple will abuse the clause to delay the release of important security patches. There are also concerns that Apple could use the clause to “cover up” their research and even prevent them from disclosing their work.
Ben Hawkes, head of Google’s Project Zero team, first took note of the provision and its possible impact, “given the limitations on vulnerability disclosure rules, we may not be able to participate in Apple’s SRD program.” “
ZecOps announced via Twitter that it would not participate in Apple’s SRD program.
Cybersecurity maker ZecOps also announced on Twitter that it would not participate in the SRD program and continue to study iPhone security in traditional ways.
For those who know the history of Apple’s security program, it makes sense that Apple might abuse SRD program rules to cover up important iOS vulnerabilities and security studies. Apple has been repeatedly accused of such behavior before.
In a series of tweets in April, macOS and iOS developer Jeff Johnson accused Apple of not paying enough attention to its security work. (Author/Frost Leaf)