Developer says Apple's Bounty Program never paid for location bug

Posted:
in General Discussion
An iOS engineer says he feels "robbed" by Apple's Security Bounty program after failing to receive payment for a vulnerability he believes fit its guidelines.




Nicolas Brunner, an iOS engineer at Swiss Federal Railways, wrote about his experience with the bounty program in a Medium post on Monday. According to Brunner, he had discovered an exploitable vulnerability in iOS 13 back in March 2020.

The vulnerability would have allowed an app to permanently collect a user's location data without their consent. Brunner says he discovered the flaw while working on an iOS project.

"This seemed like a critical issue to me -- especially with Apple's focus on privacy in the last years," Brunner wrote.

Brunner wrote a demonstration app and submitted it to Apple's bounty program. The flaw was actually fixed in iOS 14, and Apple credited Brunner in its security release notes. Despite that, Brunner said he didn't receive any payment for the vulnerability.

The developer communicated with Apple's security team over eight months, and, ultimately, Brunner says Apple sent no payment. In addition, in the last email the company sent, Apple allegedly said the issue did not qualify for a security bounty because it didn't demonstrate any categories listed under the program's guidelines.

Brunner disagrees with that assessment, pointing out that Apple lists access to "precise location data" that would typically be protected by a prompt as a vulnerability qualifying for a reward.

"To be frank: Right now, I feel robbed," Brunner wrote. "However I still hope, that the security program turns out to be a win-win situation for both parties."

Apple has long had a bug bounty program for specific operating systems, but it was invite-only for some time. In 2019, the company opened it to all developers and security researchers and expanded its scope to include all of its operating systems.

The Cupertino tech giant has paid out bounties for high-profile vulnerabilities in the past, including a $100,000 reward for a Sign in with Apple bug.

Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

Comments

  • Reply 1 of 7
    swineoneswineone Posts: 52member
    Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).

    That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.

    So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.
    lam92103
  • Reply 2 of 7
    mwhitemwhite Posts: 271member
    swineone said:
    Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).

    That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.

    So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.

    Get lost loser.....
    killroywatto_cobra
  • Reply 3 of 7
    sflocalsflocal Posts: 5,732member
    swineone said:
    Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).

    That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.

    So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.
    Talks much... says little.

    *yawn*
    killroywatto_cobra
  • Reply 4 of 7
    danoxdanox Posts: 599member
    swineone said:
    Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).

    That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.

    So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.


    So Boris and Natasha will pay up? 
    killroywatto_cobra
  • Reply 5 of 7
    If he found a bug in TCC, then TCC is listed on the bounty payout page so he should be paid. If Apple now feel that TCC bugs shouldn't qualify then they can simply change their program after they pay him.

    TCC seems a very weak system so I expect Apple will replace it in the near future, here is a blog post on it:

    https://objective-see.com/blog/blog_0x4C.html

    FileMakerFellerwatto_cobra
  • Reply 6 of 7
    uraharaurahara Posts: 585member
    danox said:
    swineone said:
    Lesson to the security researchers: don’t trust Apple and its once-a-penny-pincher-always-a-penny-pincher CEO. You may work for free for months at a time in exchange for a thank-you notice at the end for all the work performed (and maybe not even that).

    That’s just how penny-pinchers love it, so employees are free to spend even more time playing SJW by demanding Apple take sides in middle eastern wars or institute free-for-all “work” from home policies, rather than provide non-sloppy work output. Afterwards you can always trick a security researcher into working for free for you — you’re the famous, cool, hip Apple after all, people should be falling over themselves for the opportunity to get a thank-you note in the release notes that nobody reads.

    So, the strategy is dead simple: just sell it to the highest bidder in the black market. Plenty of people looking for some nice 0-days there, you’re sure to get handsomely rewarded rather than penny-pinched.


    So Boris and Natasha will pay up? 
    Maybe. Maybe not.
    They take it from you ... and then shoot you in the head.
    Less witnesses - the better.
    edited July 14 killroywatto_cobra
  • Reply 7 of 7
    chadbagchadbag Posts: 1,470member
    I tweeted a link of this article   to @tim_cook and @apple and asked them why they weren't following through and they had a bug bounty program if they weren't going to pay.  Hopefully others do the same. If multiple people calm them out publicly maybe they will respond. 
Sign In or Register to comment.