Tuesday, July 13, 2021

More Trouble With the Apple Security Bounty

Nicolas Brunner (Hacker News):

In march 2020 I found a way to access a User’s location permanently and without consent on any iOS 13 (or older) device. This seemed like a critical issue to me — especially with Apple’s focus on privacy in the last years.

The report got accepted and the issue was fixed in iOS 14 and I got credited on the iOS 14 security content release notes. However, as of today, Apple refuses any bounty payment, although the report at hand very clearly qualifies according to their own guidelines. Also, Apple refuses to elaborate on why the report would not qualify.


Right now, I feel robbed. However I still hope, that the security bounty program turns out to be a win-win situation for both parties. In my current understanding however, I do not see any reason, why developers like myself should continue to contribute to it. In my case, Apple was very slow with responses (the entire process took 14 months), then turned me away without elaborating on the reasons and stopped answering e-mails.

Steve Troughton-Smith:

I’m not sure why one of the richest companies in the world feels like it needs to be so stingy with its bounty program; it feels far more like a way to keep security issues hidden & unfixed under NDA than a way to find & fix them.


If you did have knowledge of some major security flaws, why would you ever submit them to a bounty program if your last 10 submissions went nowhere and took months/years of fruitless email chasing? This stuff should be like clockwork

As an example: did you know any iOS app can read your iCloud account’s full name & email address without any kind of permissions prompt or access to your contacts? What about your phone number? Or recent searches in Photos? I figured this was worth a security report… in 2019

See also: Stop the Medium.


Update (2021-07-15): Csaba Fitzl (tweet):

Since Apple started their Apple Security Bounty program I have submitted around 50 cases to their product security team. I thought I will share my experiences working with Apple in the past 2 years. This will be useful to anyone thinking about participating in the program, and will help setting up expectations.


The issue is that even if you ask for an update, you don’t get any. Often times, it feels like I’m sending emails into a black hole. This is really frustrating. Even a reply like “we don’t have any update at the moment” would be nice, but often times that is also missed.


Although compared to many programs in H1 or BugCrowd, they are not an outlier here, but some cases can easily go over a year. Especially design issues, which are typically addressed only in the next major release (e.g.: macOS 12). I’m personally tracking 7 such cases.


Once the issue is fixed Apple will review the case and decide if it’s eligible for a bounty or not. I think this is the worse part of the whole process. This can take extremely long time, I have issues, which were fixed in the initial release of Big Sur (half year ago!) and a decision hasn’t been made yet. […] I think this is the part why you can’t rely on them for living, unless you have a buffer for a year or two.

Update (2021-07-26): Nick Heer:

Apple says that it pays one million dollars for a “zero-click remote chain with full kernel execution and persistence” — and 50% more than that for a zero-day in a beta version — pales compared to the two million dollars that Zerodium is paying for the same kind of exploit.


Security researchers should not have to grovel to get paid for reporting a vulnerability, no matter how small it may seem. Buy why would anyone put themselves through this process when there are plenty of companies out there paying far more?

The good news is that Apple can get most of the way toward fixing this problem by throwing money at it. Apple has deep pockets; it can keep increasing payouts until the grey market cannot possibly compete. That may seem overly simplistic, but at least this security problem is truly very simple for Apple to solve.


2 Comments RSS · Twitter

"did you know any iOS app can read your iCloud account’s full name & email address without any kind of permissions prompt or access to your contacts?"

Is this really true? I tried to verify it with a quick search but could not find a good source.

This would make me somewhat uncomfortabe because I deliberately try to silo my "personas" between different Ad-supported companies.

[…] Troubles With Apple’s Bug Bounty Program […]

Leave a Comment