No Bounty for Mysk

Mysk:

We had lengthy discussions explaining the bug to Apple. It was clear to us the bug was new to Apple Product Security. After 5 months, they informed us that the report was treated as a duplicate and it was addressed.

We just got this update for CVE-2026-28910: No bounty.

[…]

It is hard to believe that our report was a duplicate. The bug was present in all previous macOS releases and now all of a sudden two independent reports addressed it at once!! What are the odds of that? We reported the bug in October 2025. Apple fixed it in March 2026. So they knew about this critical bug earlier than October and left it unpatched all this time?

Mysk:

We have a series of bad experiences with the way Apple Product Security treats our reports. It started with the clipboard, we spent lengthy exchanges convincing them it was a bug, they concluded it wasn’t an issue. When we published the demo we submitted to them, the media helped raise awareness about it. Pressured by social media demands, Apple introduced the clipboard notification in iOS.

And recently we reported a bug that the Passwords app would contact websites over HTTP to download icons. Same behavior: not an issue -> lengthy discussion -> FINE we fix it. Then they said our work didn’t meet their criteria for a bounty. After that and in iOS 26, they introduced this option in the settings (see screenshot). It is clearly based on our unpaid work that we fought hard to convince their team it was an issue.

Mysk:

We will no longer submit bugs we discover in Apple systems through Apple Bounty Program.

neils:

Apple did this to me in 2019 over a messages 0-click bug. So I did some magic and got myself added to their daily bug bounty standup call, which was just a FaceTime group call. I submitted another vuln with a screenshot of their call and got a threatening letter.

Lior Halphon:

A few years ago I reported a bug, which Apple fixed. When I asked for the bounty and credit, they ghosted me. They did eventually provide both the payout and the credit (although they listed the wrong affected OS versions in the security bulletin), but only after Twitter shaming.

That said, the whole experience never felt malicious or deliberate, it simply reeked of incompetence and severe lack of organization.

Denis Kanonik:

From my experience of reporting bugs to Apple - they never admit that you were the first, it’s always duplicate. Even if there are no bounty promised or expected and novelty is obvious.

Bob Burrough:

Apple peeps […] you should reward the effort expended by the 3rd party for helping secure your products…not whether the report is new to you….especially when the issue hasn’t yet been published. Even reviewing the duplicate helps you understand the bug.

Previously:

• Hijacking Apps Using Archive Utility
• macOS 26.4 Paste Protection
• Evolution of Apple Security Bounty Program
• Apple Passwords Phishing Vulnerability
• No Bounty for Kaspersky
• No Bounty for Kernel Vulnerability
• Security Researchers Unhappy With Apple’s Bug Bounty Program

Apple Security Bounty Apple Software Quality Bug Mac macOS Tahoe 26 Security

5 Comments RSS · Twitter · Mastodon

---

---

---

---

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ