Apple employee misses out on $10,000 bug bounty from Google
An Apple employee found an incredibly small bug in Chrome and didn't take long to report it, but still Google says he or she was too late, they won't pay up.
Google Chrome icon
And they say Apple is mean with its bug bounty rewards program. During a "Capture the Flag" (CTF hacking contest in March, an Apple employee spotted a previously unknown bug in Google Chrome.
According to TechCrunch, he or she then followed a procedure to test and report it.
"It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed," wrote a TechCrunch forum member claiming to be the original discoverer.
"It was reported on June 5th, through my company," he or she continued. "Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was [out-of-office]."
Going by the name Galileo, the forum commenter added that there "wasn't any real urgency."
"Only you and my team was aware of it and the issue is likely not that great in a real world scenario," he or she continued, "(doesn't work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)."
But before this Apple employee reported the bug, someone else did. That unnamed person made it clear to Google that they did not find the bug, but they were at the CTF contest and wanted to be sure it was reported.
This person was awarded $10,000 by Google, despite protesting that they did not discover it. In Google's bug report, the company now notes that "we have been made aware that there are some disagreements with how this was presented to us."
"The reporter of this issue has just made us aware that the reporter of issue 1451211 was key in the original discovery that led to this report," it says. "We are happy to include them in acknowledgement here and in the security fix/release notes for this issue when we receive that information."
"Otherwise, we do not see the need for any other action here," continues Google. "We do not plan to reissue this reward."
Google reportedly fixed the zero day bug after the first report and before the discoverer supplied the details.
While this particular bug was reportedly mild in the extreme, overall in 2022, Google Chrome was found to be the browser most vulnerable to security issues.
Read on AppleInsider
Comments
Imagine physicist who makes an amazing discovery, or an astronomer who discovers a new asteroid or dwarf planet. And now imagine someone else who witnessed the discovery actually going to publication with details about it before the discoverer. That would be the death knell for the ninja's career because it's plagiarism.
When someone makes a novel discovery, everyone else should provide space and deference for the discoverer to confirm their findings and report them properly and completely. In the case of cybersecurity, this is especially important because denying someone a bounty for finding a vulnerability (much less, awarding it to someone completely disconnected from the discovery) will only encourage the discoverer to stop participating in the bounty program going forward. And since they are the one actually finding the vulnerabilities (and not the ninja), we absolutely want them to continue in the program, so as to ensure the most secure products that the vast majority of the world is using every day of their lives.
Google, of course, is the culprit here. Being evil
instead of doing the right thing. The “low life” mostly seems to have done the right thing.
Like Ranson mentioned, both parties did the right thing here. I hope they both continue to feel highly compelled to both search out bugs and report them in a timely manner. At the very least Google should send a thank you letter to the Apple employee for their sincere effort. Will this make up for the sting of a $10,000 loss? Probably not, but it is still a formal recognition for doing the right thing. It's not always about the money.
Additionally, Google may get several submissions after the bounty has been paid out. I think everyone who submitted a qualifying report should get a thank you letter if for no other reason than to acknowledge their effort and to encourage them to keep at it. The more they submit the greater the probability that they will eventually be the one to collect the bounty.
Did Google do the right thing? Yes, I think they did, if for no other reason than for the sake of simplicity. Think about it. There are very many unreported vulnerabilities lurking in the wild. There has always been and will always be a non-zero probability that more than one bug hunter will stumble upon the same exact bug within the same relative time frame. Until a bug hunter brings the bug's pelt in to claim the bounty, it's anyones bounty to claim. The circumstances and processes under which each bug hunter prepares their pelt (bug report) for submission are individual variables and certainly nothing Google can control.
All Google can do is follow the terms they put in place, which is the first one in with a qualified report gets the bounty.