Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple employee misses out on $10,000 bug bounty from Google

Google Chrome icon

An Apple employee found an incredibly small bug in Chrome and didn't take long to report it, but still Google says he or she was too late, they won't pay up.

And they say Apple is mean with its bug bounty rewards program. During a "Capture the Flag" (CTF hacking contest in March, an Apple employee spotted a previously unknown bug in Google Chrome.

According to TechCrunch, he or she then followed a procedure to test and report it.

"It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed," wrote a TechCrunch forum member claiming to be the original discoverer.

"It was reported on June 5th, through my company," he or she continued. "Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was [out-of-office]."

Going by the name Galileo, the forum commenter added that there "wasn't any real urgency."

"Only you and my team was aware of it and the issue is likely not that great in a real world scenario," he or she continued, "(doesn't work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)."

But before this Apple employee reported the bug, someone else did. That unnamed person made it clear to Google that they did not find the bug, but they were at the CTF contest and wanted to be sure it was reported.

This person was awarded $10,000 by Google, despite protesting that they did not discover it. In Google's bug report, the company now notes that "we have been made aware that there are some disagreements with how this was presented to us."

"The reporter of this issue has just made us aware that the reporter of issue 1451211 was key in the original discovery that led to this report," it says. "We are happy to include them in acknowledgement here and in the security fix/release notes for this issue when we receive that information."

"Otherwise, we do not see the need for any other action here," continues Google. "We do not plan to reissue this reward."

Google reportedly fixed the zero day bug after the first report and before the discoverer supplied the details.

While this particular bug was reportedly mild in the extreme, overall in 2022, Google Chrome was found to be the browser most vulnerable to security issues.