Apple's crippled bug bounty program makes us all less safe online

Posted:
in General Discussion
Paying people when they report serious security issues with macOS and iOS is a good idea but two years on, it's still only done in a half-hearted, miserly way. That's damaging for Apple and it's damaging for us.




There are problems that you cannot find in beta testing but which the millions of people using your products will ultimately spot.

Apple has some of the smartest and most experienced experts searching for problems in its software -- and most of them don't work for the company. Somebody, somewhere will find a problem, and the only question is what they will do with that information.

Right now, Apple has a program to discourage them from coming forward.

That's not how it's meant to be. Officially, Apple has had what it calls a bug bounty program since 2016 -- and it should be simple. If you find a serious bug in Apple's software, the company will pay a reward. That's it. Yes, there are going to be issues over whether you found it first but admin aside, it's straightforward.

Yet, we're three years into the bug bounty and this week Apple made television news by -- shock -- actually paying it out. And perhaps they only did so because of that news reporting.

Good Apple

Apple has done the right thing. It's not only paid some money for the discovery, it's fixed the problem and its release notes credit the people who found it.

People found a bug and reported it to Apple, who fixed it and said thank you. That is what happened and if it had happened in that sequence, if it had been even roughly a straight line through that process, we wouldn't be thinking about it. And, what's much more important, anyone else who finds a bug would go straight to Apple like we want them to. All credit to Apple for fixing this issue and definitely all credit to the company for creating this bug bounty program.

Only, it's as if the people who created the program are in a different office to the ones who are supposed to pay out.

Apple acts as if this bug bounty is an imposition on them, and the accounts department acts as if the amount is going to bankrupt the company. You don't get to become the world's most profitable company by casually spending money, but look at the numbers. The bug bounty is supposed to pay out between $25,000 and $200,000 and even in the short term, Apple's surely lost that in bad PR.

If this had gone another way, if Apple had accepted the bug report, acted on it right away and announced in a more timely fashion that it would pay for the kid's college education as a thank you, the company would be a star. Yes, everyone capable would be leaping on the bandwagon and trying to find a bug to tell Apple -- but that is precisely what they should want.

It's not that we want everybody to love Apple, it's that we want everybody who finds a bug to unhesitatingly take it straight to the company.

Holding out in protest

Also in February, a researcher has demonstrated a new Keychain exploit, that given the right circumstances will allow a persistent and focused attacker to extract your passwords from the Keychain. It isn't so simple that the passwords are downloaded to miscreants when a bad ad is displayed, but it is a vector of attack nonetheless.

And, the researcher isn't sharing the specific details with Apple, beyond a demonstration of the fact that it works -- because of the obtuse bug bounty program. It sure would be better if Apple had all the details here. Certainly, the researcher is holding out which is part of the problem, but the reason why it is being held back is pretty telling.

Not an insurmountable problem

Nobody wants Apple to look like it's alternately in denial and penny-pinching, but it does. Nobody on the side of the angels wants people who find bugs to think it's just easier to sell it to someone who'll exploit a macOS or iOS vulnerability.

Make it clear that telling Apple is the best thing -- and stop hiding how to even do this reporting. Right now, you will have difficulty finding out where to find this bug bounty program. Go ahead, search the Apple website for how you do it.

Maybe you thought about it for a sec and decided that apple.com wasn't the right place, you should search support.apple.com instead. Doesn't matter. No difference.

You'd think it would come up with something
You'd think it would come up with something


Unless you spend your time figuring out synonyms for bugs and problems -- forget bounty, money, reward -- then the only way to find out how to report a bug is via a Google search. If you instead go to google.com and search "bug bounty at apple.com" then you'll find it.

Or rather, you'll find a Support page called Contact Apple about Security Issues. There's a section for Customers which doesn't mention anything to do with this. There's a section for Developers which tells them to report issues via the regular Apple Developer Connection program that they all have to be enrolled in.

Then, finally, there's a section headed Security and privacy researchers and they are told they can email [email protected] if they want to. That's apparently the one you need but you could fool us because Apple doesn't say so here, it doesn't say so anywhere.

Smarts

If you're clever enough to find a bug, you're smart enough to eventually find the bug bounty program. There's also a good chance that you're smart enough to know that there is good money to be had from the kind of people you don't ever want to have access to bugs.

We're fine with it being difficult to find bad people to sell your bug to, and easy to sell it to Apple. Apple shouldn't be making it as hard to find the good people.

We do not and probably will never know how much money Apple has paid to the discover of this Group FaceTime bug. We also can't actually put a price on how much damage its penny-pinching denial process has cost it this time. Terrible headlines are still popping up all across the internet and social media, despite Apple having already fixed the problem.

It follows, then, that we can't really put a dollar figure on what this means next. You can put too much weight on a single incident but when it's the only incident being talked about, when it's the only incident that makes the news, then it's the one that will be remembered first.

So what we learn from this single incident is that Apple has a bug bounty program but it doesn't want you to know about it. We learn that Apple doesn't really want you to report bugs and it truly does not want to pay out.

And the next time someone finds a serious bug, that could cost Apple -- and us all -- a lot more than between $25,000 and $200,000.




Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
lkrupp

Comments

  • Reply 1 of 18
    You get the impression they take it as an insult if someone finds a bug or security issue in their systems.
    williamlondon
  • Reply 2 of 18
    I looked. Apple does not have a program to discourage people from reporting bugs. 
    williamlondonRayz2016watto_cobra
  • Reply 3 of 18
    As long as it doesn't get into a bidding war with the exploit vendors.
  • Reply 4 of 18
    Mike WuertheleMike Wuerthele Posts: 4,634administrator
    kruegdude said:
    I looked. Apple does not have a program to discourage people from reporting bugs. 
    Reporting bugs != bug bounty program.

    It should be, but it isn't equivalent.
    williamlondon
  • Reply 5 of 18
    wood1208wood1208 Posts: 1,968member
    Every bug reported does not translate into reward from Apple. The bug has to be deep wide spread security related effecting people's identity and possibly harm financially.
  • Reply 6 of 18
    Mike WuertheleMike Wuerthele Posts: 4,634administrator
    wood1208 said:
    Every bug reported does not translate into reward from Apple. The bug has to be deep wide spread security related effecting people's identity and possibly harm financially.
    Sure, we don't disagree with that. However, Apple shouldn't have to be guilted into doing the right thing, again.
    beowulfschmidtwilliamlondon
  • Reply 7 of 18
    I couldn’t agree more. 
    williamlondon
  • Reply 8 of 18
    kruegdude said:
    I looked. Apple does not have a program to discourage people from reporting bugs. 
    Reporting bugs != bug bounty program.

    It should be, but it isn't equivalent.
    Yeah, I was lacking sufficient coffee when I typed that so my “brilliant point cast out upon the internet” was lost to a lack of thoughtful reflection. Maybe next time. 
    watto_cobra
  • Reply 9 of 18
    Sigh, this constant battle with the comments code while using an iPad caused me to look even more like and idiot than normal. My way of saying sorry about the duplicate posts. 
  • Reply 10 of 18
    kruegdude said:
    Sigh, this constant battle with the comments code while using an iPad caused me to look even more like and idiot than normal. My way of saying sorry about the duplicate posts. 
    Yeah, pretty amazing that AppleInsider's posting software doesn't work right on iOS. I'll have to try it under Windows Mobile.
  • Reply 11 of 18
    jdwjdw Posts: 752member
    Americans are so driven by numbers, always complaining payouts aren't big enough.  Being an American I have the right to say that.  Here in Japan things are different.  When interfacing digital devices to a vehicle's CAN bus, for example, our company occasionally finds bugs in Toyota cars. (Yes, cars have computers like the ECU and software too.)  One bug in particular was found to drain the car battery dead in short order, and the means of triggering the bug was rather easy for anyone who has a scan tool connected via OBD.  But not only does Toyota NOT have a bug bounty program, they get rather upset when you discover a bug.  It's always the fault of the third party for daring to touch their cars and never the fault of Toyota.

    As we approach the era of vehicle autonomy, bug-catching becomes more and more of a concern -- in terms of physical safety, even more important than desktop computer bug-finding.  In more recent car models, Toyota has chosen to add a digital gateway and shutout most access via the car's OBD plug in an attempt to prevent third party CAN bus accessories from potentially causing problems, but also making it harder to find or trigger a bug in Toyota's firmware.  Japanese car manuals that come with cars here in Japan specifically say not to connect anything to the OBD plug, and Toyota has instructed their dealers in Japan not to carry any third party devices that digitally communicate via OBD.  The same car manuals in English that come with the same cars in the US don't yet say that about the OBD, probably due to the Magnuson-Moss Warranty act which allows car owners to add devices to the car without invalidating car warranties.  All said, Toyota actually paying people for finding bugs today is a laughable thought.  It would be wonderful if they would simply be less aggressive toward bug finders.  But if Nissan and Carlos Ghosn can serve as an example, daring to think different at an automaker can actually land one in hot water.  

    Squabbling over precise dollar amounts is silly.  We should be thankful bug bounties even exist.
    Dave Kapwatto_cobra
  • Reply 12 of 18
    cgWerkscgWerks Posts: 2,227member
    Only, it's as if the people who created the program are in a different office to the ones who are supposed to pay out.

    Apple acts as if this bug bounty is an imposition on them, and the accounts department acts as if the amount is going to bankrupt the company. You don't get to become the world's most profitable company by casually spending money, but look at the numbers. The bug bounty is supposed to pay out between $25,000 and $200,000 and even in the short term, Apple's surely lost that in bad PR.
    They might actually be. :smile: 

    That's not how big companies work, though, unfortunately. Often these kind of things are departments under departments. They all have their own budgets and hard profitability or are assigned some 'value.' Bug bounties are probably some line item of some aspect of software development, or QC or something, and that department is trying to 'balance the budget' or something like that.

    As a friend, high-up in a Fortune 100 used to say... big company = stupid. It's almost comical sometimes how poorly they do certain things, or how obvious some of their mistakes are. But, like a train, they also have a ton of momentum... so they can get away with it, or weather it.
    edited February 9
  • Reply 13 of 18
    knowitallknowitall Posts: 1,358member
    Its important to note that anyone finding a serious bug has a moral obligation to report this to the right organizations (in this case Apple). Its a criminal act to do otherwise.
    Its also important to note that Apple must write its software in a way that exploits (of important parts of the security of the system) are impossible.
    Its a common mistake to think that cannot be done. The mistakes (root exploits) I have seen are all based on the use of programming languages without inherent security (C, objective C) and would simply not have existed when implemented in swift.
    Its Apples resposibilty to rewrite MacOS security frameworks and core OS (including its Unix subsystem) to make MacOS secure again.

    wanderso
  • Reply 14 of 18
    kruegdude said:
    I looked. Apple does not have a program to discourage people from reporting bugs. 
    Nobody said anything about Apple having a program to discourage people to report bugs, but rather make it difficult to report them.
  • Reply 15 of 18
    The author doesn't understand how this "industry" works. If Apple were to raise the price that they are offering people, the other companies offering hacking services would just offer more in an never ending battle to be the highest, and encourage people to withhold bugs to force companies to engage in a bidding war. Apple also came to the conclusion that at some point you actually create an incentive to develop hacks. Apple has studied this issue and realizes that the smart strategy is too offer a reasonable enough public bounty program and then to work quietly in the background in markets the author doesn't even know about to acquire other information.
    edited February 10
  • Reply 16 of 18
    macxpressmacxpress Posts: 4,896member
    wood1208 said:
    Every bug reported does not translate into reward from Apple. The bug has to be deep wide spread security related effecting people's identity and possibly harm financially.
    Sure, we don't disagree with that. However, Apple shouldn't have to be guilted into doing the right thing, again.
    Well how do we know Apple wasn't going to do what they did in the first place? Just because some kid reported a problem and Apple didn't fix it immediately so it got media attention because they (The kid and his family) went public and Apple shut everyone up by offering the kid money. But again, how do we know they weren't going to do something like that anyways? 
    watto_cobra
  • Reply 17 of 18
    cgWerkscgWerks Posts: 2,227member
    Notsofast said:
    The author doesn't understand how this "industry" works. If Apple were to raise the price that they are offering people, the other companies offering hacking services would just offer more in an never ending battle to be the highest, and encourage people to withhold bugs to force companies to engage in a bidding war. Apple also came to the conclusion that at some point you actually create an incentive to develop hacks. Apple has studied this issue and realizes that the smart strategy is too offer a reasonable enough public bounty program and then to work quietly in the background in markets the author doesn't even know about to acquire other information.
    I think the problem (if I'm understanding the news correctly) is that Apple has an iOS bounty program, but not an equivalent macOS one.
    mazda 3smuthuk_vanalingam
  • Reply 18 of 18
    kevin keekevin kee Posts: 1,044member
    macxpress said:
    wood1208 said:
    Every bug reported does not translate into reward from Apple. The bug has to be deep wide spread security related effecting people's identity and possibly harm financially.
    Sure, we don't disagree with that. However, Apple shouldn't have to be guilted into doing the right thing, again.
    Well how do we know Apple wasn't going to do what they did in the first place? Just because some kid reported a problem and Apple didn't fix it immediately so it got media attention because they (The kid and his family) went public and Apple shut everyone up by offering the kid money. But again, how do we know they weren't going to do something like that anyways? 
    It is only natural for the kid and family to ask for bounty money. Unfortunately they got impatient and leak it to public before Apple even finished investigating it. Now I use the word 'unfortunately', but it's actually showing more of the other side of human nature.
Sign In or Register to comment.