An iOS engineer says he feels "robbed" by Apple's Security Bounty program after failing to receive payment for a vulnerability he believes fit its guidelines.
Nicolas Brunner, an iOS engineer at Swiss Federal Railways, wrote about his experience with the bounty program in a Medium post on Monday. According to Brunner, he had discovered an exploitable vulnerability in iOS 13 back in March 2020.
The vulnerability would have allowed an app to permanently collect a user's location data without their consent. Brunner says he discovered the flaw while working on an iOS project.
"This seemed like a critical issue to me — especially with Apple's focus on privacy in the last years," Brunner wrote.
Brunner wrote a demonstration app and submitted it to Apple's bounty program. The flaw was actually fixed in iOS 14, and Apple credited Brunner in its security release notes. Despite that, Brunner said he didn't receive any payment for the vulnerability.
The developer communicated with Apple's security team over eight months, and, ultimately, Brunner says Apple sent no payment. In addition, in the last email the company sent, Apple allegedly said the issue did not qualify for a security bounty because it didn't demonstrate any categories listed under the program's guidelines.
Brunner disagrees with that assessment, pointing out that Apple lists access to "precise location data" that would typically be protected by a prompt as a vulnerability qualifying for a reward.
"To be frank: Right now, I feel robbed," Brunner wrote. "However I still hope, that the security program turns out to be a win-win situation for both parties."
Apple has long had a bug bounty program for specific operating systems, but it was invite-only for some time. In 2019, the company opened it to all developers and security researchers and expanded its scope to include all of its operating systems.
The Cupertino tech giant has paid out bounties for high-profile vulnerabilities in the past, including a $100,000 reward for a Sign in with Apple bug.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too. If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
7 Comments
Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).
That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.
So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.
If he found a bug in TCC, then TCC is listed on the bounty payout page so he should be paid. If Apple now feel that TCC bugs shouldn't qualify then they can simply change their program after they pay him.
TCC seems a very weak system so I expect Apple will replace it in the near future, here is a blog post on it:
https://objective-see.com/blog/blog_0x4C.html