{"id":43223,"date":"2024-05-14T16:14:48","date_gmt":"2024-05-14T20:14:48","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=43223"},"modified":"2024-05-16T15:13:28","modified_gmt":"2024-05-16T19:13:28","slug":"no-bounty-for-kernel-vulnerability","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/05\/14\/no-bounty-for-kernel-vulnerability\/","title":{"rendered":"No Bounty for Kernel Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/twitter.com\/R00tkitSMM\/status\/1790076101672284594\">Meysam Firouzi<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/R00tkitSMM\/status\/1790076101672284594\">\n<p>I reported CVE-2024-27804, an iOS\/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.<\/p>\n<\/blockquote>\n<p>It&rsquo;s fixed in iOS 17.5 and macOS 14.5, but Apple says it&rsquo;s <a href=\"https:\/\/twitter.com\/R00tkitSMM\/status\/1790269915028467800\">not eligible for the security bounty<\/a>.<\/p>\n\n<p>Via <a href=\"https:\/\/news.ycombinator.com\/item?id=40352577\">Hacker News<\/a> and <a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112439570723232101\">Jeff Johnson<\/a>.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/05\/13\/ios-17-5-and-ipados-17-5\/\">iOS 17.5 and iPadOS 17.5<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/05\/13\/macos-14-5\/\">macOS 14.5<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/02\/19\/reporting-a-full-disk-access-bug-to-apple\/\">Reporting a Full Disk Access Bug to Apple<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/11\/04\/sirispy-bug\/\">SiriSpy Bug<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/01\/19\/an-examination-of-the-bug-bounty-marketplace\/\">An Examination of the Bug Bounty Marketplace<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/07\/13\/more-trouble-with-the-apple-security-bounty\/\">More Trouble With the Apple Security Bounty<\/a><\/li>\n<\/ul>\n\n<p id=\"no-bounty-for-kernel-vulnerability-update-2024-05-15\">Update (2024-05-15): See also: <a href=\"https:\/\/www.reddit.com\/r\/apple\/comments\/1cs355k\/no_bounty_for_kernel_vulnerability\/\">Reddit<\/a>.<\/p>\n\n<p id=\"no-bounty-for-kernel-vulnerability-update-2024-05-16\">Update (2024-05-16): <a href=\"https:\/\/twitter.com\/R00tkitSMM\/status\/1790781775905423384\">Meysam Firouzi<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/R00tkitSMM\/status\/1790781775905423384\"><p>seem Apple have concluded that the reported CVE is not exploitable and they are planning to update the description to accurately describe the issue as an unexpected system termination rather than arbitrary code execution, but for good faith they will reward me 1000$.thanks \n@Apple<\/p><\/blockquote>\n\n<p>Apple really did update the <a href=\"https:\/\/support.apple.com\/en-us\/HT214101\">security notes<\/a> to say &ldquo;Impact: An app may be able to cause unexpected system termination.&rdquo; Originally, the description was &ldquo;Impact: An app may be able to execute arbitrary code with kernel privileges.&rdquo;<\/p>\n\n<p>Via <a href=\"https:\/\/daringfireball.net\/linked\/2024\/05\/15\/apple-stiffs-researching\">John Gruber<\/a> (<a href=\"https:\/\/mastodon.social\/@daringfireball\/112447539252396845\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2024\/05\/15\/apple-stiffs-researching\"><p>I would think Apple would want to err on the side of being liberal with bug bounty payouts, to encourage researchers to report as many as they can find.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@chockenberry\/112441849676833523\">Craig Hockenberry<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@chockenberry\/112441849676833523\"><p>A not fun fact: I didn&rsquo;t get a security bounty for a macOS release that was done specifically to address an issue I found.<\/p><p>The rational was that I disclosed the issue publicly. Which I did after reporting it in the beta releases, and after they said &ldquo;we&rsquo;re unable to identify an issue in your report&rdquo;, AND AFTER THEY RELEASED THE FUCKING VULNERABILITY.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@maas@c.im\/112443372411118770\">mmzeeman<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@maas@c.im\/112443372411118770\"><p>Sounds familiar. When I reported a small issue with the Sign in with Apple api they denied there was a problem when they reported back (took months). The thing was that they fixed the problem just before reporting back. &#x1F62E;. But the introduced another bug. Now one of the boolean values was put in the signed response as the string &ldquo;true&rdquo; or &ldquo;false&rdquo;. Which potentially leaves implementation vulnerable. So I filed another report. At which their documentation was silently altered at some point. &#x1F640;I never heard back from them.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/hachyderm.io\/@ezekiel\/112448426098732665\">Ezekiel Elin<\/a>:<\/p>\n<blockquote cite=\"https:\/\/hachyderm.io\/@ezekiel\/112448426098732665\">\n<p>Apple claims the ability to start a remote screen share session by speaking over FaceTime when the receiver has voice control on is not a security risk so&#8230;<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Meysam Firouzi: I reported CVE-2024-27804, an iOS\/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges. It&rsquo;s fixed in iOS 17.5 and macOS 14.5, but Apple says it&rsquo;s not eligible for the security bounty. Via Hacker News and Jeff Johnson. Previously: iOS 17.5 and iPadOS 17.5 macOS 14.5 Reporting a Full [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-05-14T20:14:52Z","apple_news_api_id":"946af6e5-22be-4abc-99f5-c4ee0de46e58","apple_news_api_modified_at":"2024-05-16T19:13:32Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/AlGr25SK-SryZ9cTuDeRuWA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2098,131,31,2321,845,30,2385,48,1227],"class_list":["post-43223","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-security-bounty","tag-bug","tag-ios","tag-ios-17","tag-kernel","tag-mac","tag-macos-14-sonoma","tag-security","tag-top-posts"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=43223"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43223\/revisions"}],"predecessor-version":[{"id":43277,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43223\/revisions\/43277"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=43223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=43223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=43223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}