No Bounty for Kernel Vulnerability
I reported CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.
It’s fixed in iOS 17.5 and macOS 14.5, but Apple says it’s not eligible for the security bounty.
Via Hacker News and Jeff Johnson.
Previously:
- iOS 17.5 and iPadOS 17.5
- macOS 14.5
- Reporting a Full Disk Access Bug to Apple
- SiriSpy Bug
- An Examination of the Bug Bounty Marketplace
- More Trouble With the Apple Security Bounty
Update (2024-05-15): See also: Reddit.
Update (2024-05-16): Meysam Firouzi:
seem Apple have concluded that the reported CVE is not exploitable and they are planning to update the description to accurately describe the issue as an unexpected system termination rather than arbitrary code execution, but for good faith they will reward me 1000$.thanks @Apple
Apple really did update the security notes to say “Impact: An app may be able to cause unexpected system termination.” Originally, the description was “Impact: An app may be able to execute arbitrary code with kernel privileges.”
Via John Gruber (Mastodon):
I would think Apple would want to err on the side of being liberal with bug bounty payouts, to encourage researchers to report as many as they can find.
A not fun fact: I didn’t get a security bounty for a macOS release that was done specifically to address an issue I found.
The rational was that I disclosed the issue publicly. Which I did after reporting it in the beta releases, and after they said “we’re unable to identify an issue in your report”, AND AFTER THEY RELEASED THE FUCKING VULNERABILITY.
Sounds familiar. When I reported a small issue with the Sign in with Apple api they denied there was a problem when they reported back (took months). The thing was that they fixed the problem just before reporting back. 😮. But the introduced another bug. Now one of the boolean values was put in the signed response as the string “true” or “false”. Which potentially leaves implementation vulnerable. So I filed another report. At which their documentation was silently altered at some point. 🙀I never heard back from them.
Apple claims the ability to start a remote screen share session by speaking over FaceTime when the receiver has voice control on is not a security risk so…
8 Comments RSS · Twitter · Mastodon
People shouldn't do free work for a multi-trillion dollar corporations. They should find their own bloody bugs -- they have the money to actually employ people for this task.
Perhaps Apple would be on the verge of bankruptcy if it started paying bounties for vulnerabilities instead of spending this money on lobbying and spin doctors.
I don't understand why anyone reports any bugs to Apple at this point, much less reporting serious vulnerabilities for which one ought to get paid. The former just goes into a trash bin, never to be looked at or fixed, and for the latter Apple is obviously acting in bad faith after the umpteenth report of someone not getting paid or getting paid a pittance.
I'm guessing this goes against the terms of Apple's bug bounty program (which I haven't read) but I wonder if it's possible to negotiate a proper contract with them before revealing the details of the bug, to ensure you get paid. That's a pretty gray hat move but Apple isn't exactly doing its part to bring in the white hat hackers.
> I wonder if it's possible to negotiate a proper contract with them
It’s certainly possible — and much more likely if security researchers formed a union.
No bug bounty for a KERNEL VULNERABILITY‽ Apple has so much excess cash on hand they really have no excuse here.
Aren't there plenty of bad actors out there paying "bounties"? I would think Apple would want to be outbidding the state-sponsored cyber terrorists for these things.
Actually, I see a systemic advantage to selling exploits to the highest bidder: it might shake Apple out of its complacency, or baring that, trash its self-proclaimed fake reputation for "security" and "privacy" in the public's mind.
Why wouldn’t they pay a bounty for Kernel vulnerabilities? That seems like the most important kind of vulnerability you want people to find
That’s very, very strange