Mac Bug Bounty Program Opens
Apple (Hacker News, MacRumors):
As part of Apple’s commitment to security, we reward researchers who share critical issues with us through the Apple Security Bounty. You can now earn up to $1,500,000 and report issues on iOS, iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.
These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research.
[…]
Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).
It sounds like you don’t get paid until (and unless) Apple fixes the bug.
Previously:
Update (2019-12-20): Jeff Johnson:
iOS 13 and macOS 10.15 may have huge security holes that we haven’t heard about yet — that even Apple haven’t heard about yet! — because everyone started hoarding their bugs after the bounty program was announced back in August, while those major OS updates were still in beta.
I’d be most concerned about a system that used payment to prevent disclosure without fixing the issue. That achieves none of the goals.
I’m ok with “if you disclose early you don’t get paid.” That creates reasonable trade-offs for both sides. If Apple thinks the bug isn’t as important as you do, then Apple should be ok with you disclosing it. But if it’s very complex, then it could take months to fully fix.
[…]
Where I’d be concerned is if submitting the bug creates an NDA situation, paid or not. That would definitely be a problem.
Alas, that seems to be how the bug bounty program is designed.
Update (2020-04-20): Jeff Johnson:
Here’s the problem, though. What happens if a reported issue is not addressed for a very long time: 9 months, 12 months, or even more? Does Apple refuse to pay the bounty during that time? […] The Apple Security Bounty eligibility rules also state that researchers must “Not disclose the issue publicly before Apple releases the security advisory for the report”. As discussed recently by Google Project Zero, it’s common industry practice to disclose reported vulnerabilities after 90 days, but the rules of the Apple Security Bounty could force vulnerability reporters to remain silent indefinitely, which is unacceptable.
[…]
I hope that Apple has a good solution to this problem, and that Apple’s intention is not just to keep vulnerabilities a secret for as long as possible by dangling a bounty in front of the reporters.
The hacker-friendly phones announced at the same conference don’t seem to be available yet.
Update (2020-04-22): Francisco Tolmasky:
RE: Unbounded bug fix times. My further concern is whether you become persona non grata for future reports if you decide on principle to disclose your bug after 90 days despite losing your bounty reward.
I’m thinking about withdrawing from the Apple Security Bounty program.
I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific.
Also, Apple Product Security has ignored my last email to them for weeks.
[…]
It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible.