I want to apply (not that I am sure that Apple would consider me a security researcher) but am unsure to what extend they're going to go with
> If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party.
I mean, if I find a bug I might report it, but I know people who work on jailbreaks and stuff–if they tell me something will I have to promptly report it? What if I find something on a non-SRD device? If I ever hypothetically "write a jailbreak", will Apple come after me even if I say I didn't use that device for it? I can get 90% of the benefit from using a device with a bootroom exploit, with none of the restrictions here…
I’m not a lawyer nor your lawyer, but I read that to mean any vulnerability you discover as a result of your research using the SRD, not any vulnerability you otherwise discover or of which you have knowledge.
Right, but is Apple going to believe me when I say that I didn't? They could just revoke my access anyways. (I'm being honest here, this isn't a question of "can I trick Apple into thinking I didn't do this on the SRD".)
>if they tell me something will I have to promptly report it
according to the terms no, unless you use the SRD to verify the information or vulnerability
>If I ever hypothetically "write a jailbreak", will Apple come after me even if I say I didn't use that device for it
I imagine that if you sold a jailbreak for $$$$ that Apple would probably take a close look at the telemetry the device is sending. If you're confident in your ability to terminate all telemetry, and keep good opsec, and defend yourself in court, then maybe that avenue would be feasible. It certainly wouldn't be ethical.
You're taking this question the wrong way: my scenario isn't "I want to trick Apple", it's "will Apple believe me even if I am being honest" and "even if Apple thinks I am being honest will they hold it over my head anyways as a way to control what I disclose".
If your intentions are good, even if you're doing all the right things, you'd be playing with fire. To be honest, the people they hand out SRDs to probably have an excellent working relationship with apple already, anyways - toeing the line would probably preclude you from having an SRD or getting a second year access.
I used those words to emphasize that there is really no way for Apple to know I was telling the truth, so I could say anything–fully truthfully–and they could just turn around and claim that they don't believe me. I guess I can see how you'd end up thinking that, but yeah having this kind of restriction that is hard to actually prove/depends on what Apple believes would generally preclude a lot of people from being in the program.
> If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party.
I mean, if I find a bug I might report it, but I know people who work on jailbreaks and stuff–if they tell me something will I have to promptly report it? What if I find something on a non-SRD device? If I ever hypothetically "write a jailbreak", will Apple come after me even if I say I didn't use that device for it? I can get 90% of the benefit from using a device with a bootroom exploit, with none of the restrictions here…