Tuesday, October 29, 2019

Apple v. Corellium

Thaddeus E. Grugq:

This is an entertaining read and doesn’t cask Apple in the best light.


This is pretty blatant. I’m no lawyer, but it’s hard to see how Apple can spin:

🍏: “we will pay you bug bounty money to fund your company.”

C: loadsa bugs

🍏: Thanks for the bugs, about that bounty? lol j/k

p.s. now we’re suing you, and we want all your bugs.

Jeff Johnson:

Apple hasn’t done ANYTHING they announced at BlackHat. All talk, no action.

So far there are no special iPhones for security researchers, nor has the Mac bug bounty program been opened.


Update (2019-11-02): Thomas Brewster (tweet, MacRumors):

Wade says he’s consistently handed details of security weaknesses to Apple. In 2016, after Apple announced it was launching a so-called Bug Bounty, where researchers are given monetary reward for disclosing vulnerabilities in iOS (now up to $1.5 million), Wade planned on partly funding Corellium with those bounties. He wanted to do it transparently, he says, and in one email dated September 27 2017, Wade explicitly told Apple’s manager for security and privacy programs, Jason Shirk, that he would start submitting bugs to fund his iPhone virtualizing startup.

The filing also suggests Apple encouraged Corellium’s early business. Emails provided to Forbes indicate Apple was at least impressed. Just as Corellium was getting started, in August 2017, Apple hosted a dinner in China for the Tencent Security Conference. Wade and Shirk dined together on Apple’s dime and later exchanged messages, according to the email threads. In one Wade boasted that he could virtualize the latest iPhone. Shirk’s response? “Wow! You got iOS 10.3 running virtually?” Wade cheekily messaged back: “Actually, we’re running iOS 11 :).”

At some point in the last year, something soured. In its filing on Monday, Corellium said that it hasn’t been paid for any of the vulnerabilities it submitted. In a counterclaim, the startup said that rather than it owing Apple anything, the Cupertino company owed it more than $300,000.

Update (2019-11-27): Will Strafach:

peeking through latest Corellium filing and let me tell you, this is not a good look for Apple at all.

either the left hand does not know what the right hand is doing, or Apple is doing business in an incredibly shady manner.

I am quite shocked by this.


Unredacted version of Corellium’s legal answer is public

This entire lawsuit is an obvious attempt to decreases the value of Corellium to either

1) own them, or
2) put them out of business to prevent researchers from finding bugs

Pwn All The Things:

If true, this is a gross case of monopoly abuse by Apple[…]

The tl;dr is this case isn’t about copyright or exploits, it’s about Apple capturing the security market for iOS bug hunters, and shutting down all the avenues of non-invited security research on their platform.

2 Comments RSS · Twitter

Hey Michael, it looks like the "This" URL doesn't go to the right place and it should link to:


Leave a Comment