Today, in honor of Corellium’s fourth birthday, we’re announcing the Corellium Open Security Initiative. This initiative will support independent public research into the security and privacy of mobile applications and devices through a series of awards and access to the Corellium platform.
Rewarding Independent Research
More than any other field of computing, security depends on the existence of a large, diverse, unofficial community of researchers. While advancements in areas like hardware design often emerge from well-funded private labs, the majority of progress in cybersecurity over the last several decades has come from “the security research community,” a community that includes not only credentialed academics and corporate professionals, but hackers, dropouts, and hobbyists too.
Conducting third-party research on mobile devices remains difficult, inefficient, and expensive. Particularly in the iOS ecosystem, testing typically requires a jailbroken physical device. Jailbreaks rely on complex exploits, and they often aren’t reliable or available for the latest device models and OS versions.
At Corellium, we recognize the critical role independent researchers play in promoting the security and privacy of mobile devices. That’s why we’re constantly looking for ways to make third-party research on mobile devices easier and more accessible, and that’s why we’re launching the Corellium Open Security Initiative.
As an initial pilot for this program, we will be calling for proposals on a specific topic. Over time, we will evaluate adding more topics and more opportunities for awards. If you’re interested in sponsoring or partnering with us on this initiative, please reach out to us at email@example.com.
First Call for Proposals
Topic: Validating Vendor Security Claims
The security research community plays a pivotal role not only in identifying and defending against security threats, but also in holding software vendors accountable for the security and privacy claims they make about their products.
Just last week, Apple announced that it would begin scanning photos uploaded into Apple’s iCloud service for Child Sexual Abuse Material (CSAM). Setting aside debates on the civil and philosophical implications of this new feature, Apple has made several privacy and security claims about this new system. These claims cover topics as diverse as image hashing technology, modern cryptographic design, code analysis, and the internal mechanics and security design of iOS itself. Errors in any component of this overall design could be used to subvert the system as a whole, and consequently violate iPhone users’ privacy and security expectations.
Since that initial announcement, Apple has encouraged the independent security research community to validate and verify its security claims. As Apple’s SVP of Software Engineering Craig Federighi stated in an interview with the Wall Street Journal, “Security researchers are constantly able to introspect what's happening in Apple's [phone] software, so if any changes were made that were to expand the scope of this in some way—in a way that we had committed to not doing—there's verifiability, they can spot that that's happening.”
We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our “jailbroken” virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.
We hope that other mobile software vendors will follow Apple’s example in promoting independent verification of security and privacy claims. To encourage this important research, for this initial pilot of our Security Initiative, we will be accepting proposals for research projects designed to validate any security and privacy claims for any mobile software vendor, whether in the operating system or third-party applications.
In the initial pilot of the Corellium Open Security Initiative, we will be awarding up to three qualifying submissions a $5,000 grant, to be awarded upon acceptance of the proposal, and free access to the Corellium platform for one year.
Having a track record of security research is helpful, but not required.
Any vulnerabilities discovered in the course of your research must be reported to the vendor. We encourage you to follow the disclosure guidelines of the relevant vendor.
You must provide us with regular updates about the progress of your research. If your proposal is accepted, we will coordinate with you to set a timeline for updates, depending on the length of your project.
You must submit a final report to us providing a detailed technical explanation of the project and its outcomes. This report will be featured on our blog as part of our commitment to open access to security and privacy research. It must be submitted no later than 30 days from the end of your project, or after any disclosure requirements are met.
Any use of the Corellium platform is governed by our Terms of Service.
Awards will be granted at our sole discretion. We will review submissions based on the following criteria:
The likely impact of the proposed research on improving mobile security or privacy.
The novelty and feasibility of the proposed research.
The likelihood that the project will be completed successfully.
The technical merits of the proposed research.
How To Apply
Please email your proposal to firstname.lastname@example.org by or before 5:00pm EST October 15, 2021.
In your proposal, please include the following details:
Name: the name(s) of the researcher(s) that will be performing the research.
Organization (if applicable): your institutional affiliation, if any.
Project Description: a detailed description of the research you intend to perform.
Impact: a detailed description of why this research is important and the impact you expect it to have on improving mobile security or privacy.
Plan and Timeline: when you expect to start the research and how long you expect it to take.
How Corellium can Help: why you would benefit from using Corellium to perform your research.
Supplemental Information: any prior research or other details that might help us review your submission.
We will review and respond to all proposals by 5:00pm EST October 31, 2021.
If you have further questions or suggestions, or are interested in supporting our mission to improve privacy and security through independent third-party research, please feel free to reach out to us at email@example.com.
Stuff the lawyers make us say: We can’t accept proposals from individuals who are on sanctions lists or from individuals in embargoed countries. You are responsible for any taxes on applicable awards, depending on your country of residency and citizenship. Additional restrictions may apply, depending on your local law. All awards are issued entirely at our sole discretion, and we can cancel the program at any time. Your research must not violate any law.