Apple might pay teenager who found Group FaceTime surveillance bug

By Mike Wuerthele

An Apple executive has reportedly suggested that the 14-year-old who discovered the Group FaceTime surveillance exploit would be rewarded by the company's bug bounty program.

Left, Michelle Thompson; Right Grant Thompson

One week after social media picked up on a FaceTime exploit that allowed callers to eavesdrop on a recipient before the call is picked up, the original discoverer has been visited by an unnamed Apple executive.

"They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant," said discoverer Grant Thompson's mother Michele Thompson. "If he got some kind of bug bounty for what he found we'd certainly put it to good use for his college because I think he's going to go far, hopefully. This is actually a field he was interested in before and even more so now."

In an interview with CNBC's Squawk Box Grant said that he isn't fazed by the process, and will still continue to use Apple's products, saying that "every now and then something like this just falls through the cracks and can be found."

Michele Thompson declined to identify the Apple executive in question.

The exploit was relatively simple to induce. The caller starts a FaceTime video call with a contact, then while the call is "ringing," they add themselves to the call as a third party by tapping Add Person and entering their own phone number. If properly executed, a Group FaceTime call is started and the original recipient's audio begins to stream before the call is accepted.

After the bug picked up some traction on social media, Apple disabled Group FaceTime, preventing the execution of the flaw. Apple has since apologized for the bug, and a patch is expected shortly.

It was claimed on Tuesday that Apple was informed about the privacy bug a week prior, with posts on Twitter seemingly confirming the timeframe. It is unknown if the bug was reported through Apple's official bug reporting mechanism or was performed by other means.

The later postings on Twitter about the prior alert to the company were called into question, due to a number of elements on the account making it seem dubious. A timestamp on one screenshot showed the use of GMT rather than Mountain Time or another appropriate timezone, while posts prior to January 1 were eradicated, among other issues that made the social media testimony seem dubious at the time.

Apple's bug bounty program was announced in 2016, offering thousands of dollars as a reward to people discovering vulnerabilities in its products and services. The bounties range from $25,000 for access from a sandboxed process to user data outside of that sandbox to $200,000, awarded for secure boot firmware component discoveries.

It is unclear where on the scale the FaceTime bug sits on the scale, but it is likely to be on the lower end of the range overall.

The bug bounty program may offer high rewards, but it has previously been criticized for failing to be enough for security researchers to participate, as iOS bugs may gain a higher bounty by being sold to private companies seeking ways to defeat Apple's security. In 2017, it was suggested iOS exploits could be bought for $500,000 from some firms, with one paying upward of $1.5 million for a full set of bugs that can jailbreak an iPhone.