Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple employee misses out on $10,000 bug bounty from Google

William Gallagher |

Google Chrome icon

An Apple employee found an incredibly small bug in Chrome and didn't take long to report it, but still Google says he or she was too late, they won't pay up.

And they say Apple is mean with its bug bounty rewards program. During a "Capture the Flag" (CTF hacking contest in March, an Apple employee spotted a previously unknown bug in Google Chrome.

According to TechCrunch, he or she then followed a procedure to test and report it.

"It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed," wrote a TechCrunch forum member claiming to be the original discoverer.

"It was reported on June 5th, through my company," he or she continued. "Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was [out-of-office]."

Going by the name Galileo, the forum commenter added that there "wasn't any real urgency."

"Only you and my team was aware of it and the issue is likely not that great in a real world scenario," he or she continued, "(doesn't work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)."

But before this Apple employee reported the bug, someone else did. That unnamed person made it clear to Google that they did not find the bug, but they were at the CTF contest and wanted to be sure it was reported.

This person was awarded $10,000 by Google, despite protesting that they did not discover it. In Google's bug report, the company now notes that "we have been made aware that there are some disagreements with how this was presented to us."

"The reporter of this issue has just made us aware that the reporter of issue 1451211 was key in the original discovery that led to this report," it says. "We are happy to include them in acknowledgement here and in the security fix/release notes for this issue when we receive that information."

"Otherwise, we do not see the need for any other action here," continues Google. "We do not plan to reissue this reward."

Google reportedly fixed the zero day bug after the first report and before the discoverer supplied the details.

While this particular bug was reportedly mild in the extreme, overall in 2022, Google Chrome was found to be the browser most vulnerable to security issues.

13 Comments

clexman 15 Years · 218 comments
About

The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

ranson 15 Years · 91 comments
About

clexman said:
The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

I disagree here, because the circumstances are highly unusual. The reasons the Apple employee was not first to report the vulnerability are listed out in the article. In simplest terms, it boils down to someone who does not work at Apple and was not involved in discovering the vulnerability having effectively overheard the Apple team talking about their discovery during the hackathon and submitting the form first. The reporter likely just provided the steps to reproduce the attack to Google, all while the original discoverer was still working to author a deep technical description of the vulnerability and identify any similar or derivative methods of exploiting it.

Imagine physicist who makes an amazing discovery, or an astronomer who discovers a new asteroid or dwarf planet. And now imagine someone else who witnessed the discovery actually going to publication with details about it before the discoverer. That would be the death knell for the ninja's career because it's plagiarism.

When someone makes a novel discovery, everyone else should provide space and deference for the discoverer to confirm their findings and report them properly and completely. In the case of cybersecurity, this is especially important because denying someone a bounty for finding a vulnerability (much less, awarding it to someone completely disconnected from the discovery) will only encourage the discoverer to stop participating in the bounty program going forward. And since they are the one actually finding the vulnerabilities (and not the ninja), we absolutely want them to continue in the program, so as to ensure the most secure products that the vast majority of the world is using every day of their lives.

jfabula1 2 Years · 173 comments
About

Dont be caught Sleeping w the enemy

igorsky 9 Years · 775 comments
About

Funny how all the blogs initially reported this as “Apple didn’t tell Google about a Chrome zero-day exploit”. 

killroy 17 Years · 286 comments
About

clexman said:
The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."

Wants the same trophy as the low life person that stole the report. FIFY.

Read More on our Forums ->
 

Sponsored Content

article thumbnail

How to stop spam calls and reclaim some sanity on your iPhone

Top Stories

article thumbnail

How Apple's smart home revolution begins in 2025

article thumbnail

AirPods Max four years later: a missed spatial computing opportunity

article thumbnail

Apple says EU interoperability laws pose severe privacy risks

article thumbnail

Don't believe what you see on TikTok - AirDrop doesn't allow thieves to steal your credit card info

article thumbnail

Holiday 2024 MacBook Buyer's Guide — Which Mac laptop you should buy?

article thumbnail

Holiday coupon: save up to $300 on every 14" & 16" MacBook Pro M4