{"id":27087,"date":"2019-10-29T16:20:16","date_gmt":"2019-10-29T20:20:16","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=27087"},"modified":"2021-07-13T11:55:23","modified_gmt":"2021-07-13T15:55:23","slug":"apple-v-corellium","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/10\/29\/apple-v-corellium\/","title":{"rendered":"Apple v. Corellium"},"content":{"rendered":"<p><a href=\"https:\/\/twitter.com\/thegrugq\/status\/1189074034392059905\">Thaddeus E. Grugq<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/thegrugq\/status\/1189074034392059905\">\n<p><a href=\"https:\/\/www.pacermonitor.com\/public\/case\/29583744\/Apple_Inc_v_Corellium,_LLC\">This<\/a> is an entertaining read and doesn&rsquo;t cask Apple in the best light.<\/p>\n<p>[&#8230;]<\/p>\n<p>This is pretty blatant. I&rsquo;m no lawyer, but it&rsquo;s hard to see how Apple can spin:<\/p>\n<p>&#x1F34F;: &ldquo;we will pay you bug bounty money to fund your company.&rdquo;<\/p>\n<p>C: loadsa bugs<\/p>\n<p>&#x1F34F;: Thanks for the bugs, about that bounty? lol j\/k<\/p>\n<p>p.s. now we&rsquo;re suing you, and we want all your bugs.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1188897768229785602\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1188897768229785602\">\n<p>Apple hasn&rsquo;t done ANYTHING they announced at BlackHat. All talk, no action.<\/p>\n<\/blockquote>\n\n<p>So far there are no special iPhones for security researchers, nor has the Mac bug bounty program been opened.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/10\/09\/file-system-events-privacy-protections-bypass\/\">File System Events Privacy Protections Bypass<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/08\/16\/apple-files-lawsuit-against-corellium-for-ios-virtualization\/\">Apple Files Lawsuit Against Corellium for iOS Virtualization<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/08\/06\/hacker-friendly-iphones-and-mac-bug-bounty-program\/\">Hacker-Friendly iPhones and Mac Bug Bounty Program<\/a><\/li>\n<\/ul>\n\n<p id=\"apple-v-corellium-update-2019-11-02\">Update (2019-11-02): <a href=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2019\/10\/29\/exclusive-a-magic-iphone-hacking-startup-bites-back-at-apple-lawyers\/#3075b49115f0\">Thomas Brewster<\/a> (<a href=\"https:\/\/twitter.com\/iblametom\/status\/1189148765313261568\">tweet<\/a>, <a href=\"https:\/\/www.macrumors.com\/2019\/10\/29\/apple-corellium-ios-lawsuit\/\">MacRumors<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2019\/10\/29\/exclusive-a-magic-iphone-hacking-startup-bites-back-at-apple-lawyers\/#3075b49115f0\"><p>Wade says he&rsquo;s consistently handed details of security weaknesses to Apple. In 2016, after Apple announced it was launching a so-called Bug Bounty, where researchers are given monetary reward for disclosing vulnerabilities in iOS (now up to $1.5 million), Wade planned on partly funding Corellium with those bounties. He wanted to do it transparently, he says, and in one email dated September 27 2017, Wade explicitly told Apple&rsquo;s manager for security and privacy programs, Jason Shirk, that he would start submitting bugs to fund his iPhone virtualizing startup.<\/p>\n<p>The filing also suggests Apple encouraged Corellium&rsquo;s early business. Emails provided to <em>Forbes<\/em> indicate Apple was at least impressed. Just as Corellium was getting started, in August 2017, Apple hosted a dinner in China for the Tencent Security Conference. Wade and Shirk dined together on Apple&rsquo;s dime and later exchanged messages, according to the email threads. In one Wade boasted that he could virtualize the latest iPhone. Shirk&rsquo;s response? &ldquo;Wow! You got iOS 10.3 running virtually?&rdquo; Wade cheekily messaged back: &ldquo;Actually, we&rsquo;re running iOS 11 :).&rdquo;<\/p>\n<p>At some point in the last year, something soured. In its filing on Monday, Corellium said that it hasn&rsquo;t been paid for any of the vulnerabilities it submitted. In a counterclaim, the startup said that rather than it owing Apple anything, the Cupertino company owed it more than $300,000.<\/p><\/blockquote>\n\n<p id=\"apple-v-corellium-update-2019-11-27\">Update (2019-11-27): <a href=\"https:\/\/twitter.com\/chronic\/status\/1193021429932945410\">Will Strafach<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chronic\/status\/1193021429932945410\">\n<p>peeking through latest Corellium filing and let me tell you, this is not a good look for Apple at all.<\/p>\n<p>either the left hand does not know what the right hand is doing, or Apple is doing business in an incredibly shady manner.<\/p>\n<p>I am quite shocked by this.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/Fox0x01\/status\/1193097348076978176\">Azeria<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/Fox0x01\/status\/1193097348076978176\">\n<p>Unredacted version of Corellium&rsquo;s legal answer is <a href=\"https:\/\/t.co\/JXoyk6yI8F?amp=1\">public<\/a><\/p>\n<p>This entire lawsuit is an obvious attempt to decreases the value of Corellium to either<\/p>\n<p>1) own them, or<br \/>\n2) put them out of business to prevent researchers from finding bugs<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/pwnallthethings\/status\/1193169409071820800\">Pwn All The Things<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/pwnallthethings\/status\/1193169409071820800\">\n<p>If true, this is a gross case of monopoly abuse by Apple[&#8230;]<\/p>\n<p>The tl;dr is this case isn&rsquo;t about copyright or exploits, it&rsquo;s about Apple capturing the security market for iOS bug hunters, and shutting down all the avenues of non-invited security research on their platform.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Thaddeus E. Grugq: This is an entertaining read and doesn&rsquo;t cask Apple in the best light. [&#8230;] This is pretty blatant. I&rsquo;m no lawyer, but it&rsquo;s hard to see how Apple can spin: &#x1F34F;: &ldquo;we will pay you bug bounty money to fund your company.&rdquo; C: loadsa bugs &#x1F34F;: Thanks for the bugs, about that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-10-29T20:20:21Z","apple_news_api_id":"3722c1f8-dabd-49f1-b5ec-b13320dacb7d","apple_news_api_modified_at":"2021-07-13T15:55:26Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/ANyLB-Nq9SfG17LEzINrLfQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[38,2098,131,1909,31,85,41,209,30,1666,48],"class_list":["post-27087","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple","tag-apple-security-bounty","tag-bug","tag-corellium","tag-ios","tag-iphone","tag-lawsuit","tag-legal","tag-mac","tag-macos-10-15","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=27087"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27087\/revisions"}],"predecessor-version":[{"id":27436,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27087\/revisions\/27436"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=27087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=27087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=27087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}