Apple employee misses out on $10,000 bug bounty from Google

Google Chrome icon

An Apple employee found an incredibly small bug in Chrome and didn't take long to report it, but still Google says he or she was too late, they won't pay up.

And they say Apple is mean with its bug bounty rewards program. During a "Capture the Flag" (CTF hacking contest in March, an Apple employee spotted a previously unknown bug in Google Chrome.

According to TechCrunch, he or she then followed a procedure to test and report it.

"It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed," wrote a TechCrunch forum member claiming to be the original discoverer.

"It was reported on June 5th, through my company," he or she continued. "Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was [out-of-office]."

Going by the name Galileo, the forum commenter added that there "wasn't any real urgency."

"Only you and my team was aware of it and the issue is likely not that great in a real world scenario," he or she continued, "(doesn't work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)."

But before this Apple employee reported the bug, someone else did. That unnamed person made it clear to Google that they did not find the bug, but they were at the CTF contest and wanted to be sure it was reported.

This person was awarded $10,000 by Google, despite protesting that they did not discover it. In Google's bug report, the company now notes that "we have been made aware that there are some disagreements with how this was presented to us."

"The reporter of this issue has just made us aware that the reporter of issue 1451211 was key in the original discovery that led to this report," it says. "We are happy to include them in acknowledgement here and in the security fix/release notes for this issue when we receive that information."

"Otherwise, we do not see the need for any other action here," continues Google. "We do not plan to reissue this reward."

Google reportedly fixed the zero day bug after the first report and before the discoverer supplied the details.

While this particular bug was reportedly mild in the extreme, overall in 2022, Google Chrome was found to be the browser most vulnerable to security issues.

Follow AppleInsider on Google News

13 Comments

clexman 209 comments · 15 Years

About 9 months ago

The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

ranson 69 comments · 15 Years

About 9 months ago

clexman said:

The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

I disagree here, because the circumstances are highly unusual. The reasons the Apple employee was not first to report the vulnerability are listed out in the article. In simplest terms, it boils down to someone who does not work at Apple and was not involved in discovering the vulnerability having effectively overheard the Apple team talking about their discovery during the hackathon and submitting the form first. The reporter likely just provided the steps to reproduce the attack to Google, all while the original discoverer was still working to author a deep technical description of the vulnerability and identify any similar or derivative methods of exploiting it.

Imagine physicist who makes an amazing discovery, or an astronomer who discovers a new asteroid or dwarf planet. And now imagine someone else who witnessed the discovery actually going to publication with details about it before the discoverer. That would be the death knell for the ninja's career because it's plagiarism.

When someone makes a novel discovery, everyone else should provide space and deference for the discoverer to confirm their findings and report them properly and completely. In the case of cybersecurity, this is especially important because denying someone a bounty for finding a vulnerability (much less, awarding it to someone completely disconnected from the discovery) will only encourage the discoverer to stop participating in the bounty program going forward. And since they are the one actually finding the vulnerabilities (and not the ninja), we absolutely want them to continue in the program, so as to ensure the most secure products that the vast majority of the world is using every day of their lives.

igorsky 757 comments · 9 Years

About 9 months ago

Funny how all the blogs initially reported this as “Apple didn’t tell Google about a Chrome zero-day exploit”.

killroy 276 comments · 17 Years

About 9 months ago

clexman said:

The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

Wants the same trophy as the low life person that stole the report. FIFY.

Latest Exclusives

Latest comparisons