Tuesday, October 29, 2019 [Tweets] [Favorites]

Apple v. Corellium

Thaddeus E. Grugq:

This is an entertaining read and doesn’t cask Apple in the best light.


This is pretty blatant. I’m no lawyer, but it’s hard to see how Apple can spin:

🍏: “we will pay you bug bounty money to fund your company.”

C: loadsa bugs

🍏: Thanks for the bugs, about that bounty? lol j/k

p.s. now we’re suing you, and we want all your bugs.

Jeff Johnson:

Apple hasn’t done ANYTHING they announced at BlackHat. All talk, no action.

So far there are no special iPhones for security researchers, nor has the Mac bug bounty program been opened.


Update (2019-11-02): Thomas Brewster (tweet, MacRumors):

Wade says he’s consistently handed details of security weaknesses to Apple. In 2016, after Apple announced it was launching a so-called Bug Bounty, where researchers are given monetary reward for disclosing vulnerabilities in iOS (now up to $1.5 million), Wade planned on partly funding Corellium with those bounties. He wanted to do it transparently, he says, and in one email dated September 27 2017, Wade explicitly told Apple’s manager for security and privacy programs, Jason Shirk, that he would start submitting bugs to fund his iPhone virtualizing startup.

The filing also suggests Apple encouraged Corellium’s early business. Emails provided to Forbes indicate Apple was at least impressed. Just as Corellium was getting started, in August 2017, Apple hosted a dinner in China for the Tencent Security Conference. Wade and Shirk dined together on Apple’s dime and later exchanged messages, according to the email threads. In one Wade boasted that he could virtualize the latest iPhone. Shirk’s response? “Wow! You got iOS 10.3 running virtually?” Wade cheekily messaged back: “Actually, we’re running iOS 11 :).”

At some point in the last year, something soured. In its filing on Monday, Corellium said that it hasn’t been paid for any of the vulnerabilities it submitted. In a counterclaim, the startup said that rather than it owing Apple anything, the Cupertino company owed it more than $300,000.


Hey Michael, it looks like the "This" URL doesn't go to the right place and it should link to:


Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment