Developer says Apple's Bounty Program never paid for location bug

article thumbnail

An iOS engineer says he feels "robbed" by Apple's Security Bounty program after failing to receive payment for a vulnerability he believes fit its guidelines.

Nicolas Brunner, an iOS engineer at Swiss Federal Railways, wrote about his experience with the bounty program in a Medium post on Monday. According to Brunner, he had discovered an exploitable vulnerability in iOS 13 back in March 2020.

The vulnerability would have allowed an app to permanently collect a user's location data without their consent. Brunner says he discovered the flaw while working on an iOS project.

"This seemed like a critical issue to me — especially with Apple's focus on privacy in the last years," Brunner wrote.

Brunner wrote a demonstration app and submitted it to Apple's bounty program. The flaw was actually fixed in iOS 14, and Apple credited Brunner in its security release notes. Despite that, Brunner said he didn't receive any payment for the vulnerability.

The developer communicated with Apple's security team over eight months, and, ultimately, Brunner says Apple sent no payment. In addition, in the last email the company sent, Apple allegedly said the issue did not qualify for a security bounty because it didn't demonstrate any categories listed under the program's guidelines.

Brunner disagrees with that assessment, pointing out that Apple lists access to "precise location data" that would typically be protected by a prompt as a vulnerability qualifying for a reward.

"To be frank: Right now, I feel robbed," Brunner wrote. "However I still hope, that the security program turns out to be a win-win situation for both parties."

Apple has long had a bug bounty program for specific operating systems, but it was invite-only for some time. In 2019, the company opened it to all developers and security researchers and expanded its scope to include all of its operating systems.

The Cupertino tech giant has paid out bounties for high-profile vulnerabilities in the past, including a $100,000 reward for a Sign in with Apple bug.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.