Apple employee misses out on $10,000 bug bounty from Google

Posted:
in General Discussion

An Apple employee found an incredibly small bug in Chrome and didn't take long to report it, but still Google says he or she was too late, they won't pay up.

Google Chrome icon
Google Chrome icon



And they say Apple is mean with its bug bounty rewards program. During a "Capture the Flag" (CTF hacking contest in March, an Apple employee spotted a previously unknown bug in Google Chrome.

According to TechCrunch, he or she then followed a procedure to test and report it.

"It took me 2 weeks working on it full time to root cause, write [the] exploit [Proof of Concept] and writeup the issue such that it can be fixed," wrote a TechCrunch forum member claiming to be the original discoverer.

"It was reported on June 5th, through my company," he or she continued. "Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was [out-of-office]."

Going by the name Galileo, the forum commenter added that there "wasn't any real urgency."

"Only you and my team was aware of it and the issue is likely not that great in a real world scenario," he or she continued, "(doesn't work on Android, pretty visible since it freezes the Chrome GUI for a few seconds)."

But before this Apple employee reported the bug, someone else did. That unnamed person made it clear to Google that they did not find the bug, but they were at the CTF contest and wanted to be sure it was reported.

This person was awarded $10,000 by Google, despite protesting that they did not discover it. In Google's bug report, the company now notes that "we have been made aware that there are some disagreements with how this was presented to us."

"The reporter of this issue has just made us aware that the reporter of issue 1451211 was key in the original discovery that led to this report," it says. "We are happy to include them in acknowledgement here and in the security fix/release notes for this issue when we receive that information."

"Otherwise, we do not see the need for any other action here," continues Google. "We do not plan to reissue this reward."

Google reportedly fixed the zero day bug after the first report and before the discoverer supplied the details.

While this particular bug was reportedly mild in the extreme, overall in 2022, Google Chrome was found to be the browser most vulnerable to security issues.

Read on AppleInsider

Comments

  • Reply 1 of 13
    clexmanclexman Posts: 210member
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    beowulfschmidtigorskygrandact73
  • Reply 2 of 13
    ransonranson Posts: 75member
    clexman said:
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    I disagree here, because the circumstances are highly unusual. The reasons the Apple employee was not first to report the vulnerability are listed out in the article. In simplest terms, it boils down to someone who does not work at Apple and was not involved in discovering the vulnerability having effectively overheard the Apple team talking about their discovery during the hackathon and submitting the form first. The reporter likely just provided the steps to reproduce the attack to Google, all while the original discoverer was still working to author a deep technical description of the vulnerability and identify any similar or derivative methods of exploiting it.

    Imagine physicist who makes an amazing discovery, or an astronomer who discovers a new asteroid or dwarf planet. And now imagine someone else who witnessed the discovery actually going to publication with details about it before the discoverer. That would be the death knell for the ninja's career because it's plagiarism.

    When someone makes a novel discovery, everyone else should provide space and deference for the discoverer to confirm their findings and report them properly and completely. In the case of cybersecurity, this is especially important because denying someone a bounty for finding a vulnerability (much less, awarding it to someone completely disconnected from the discovery) will only encourage the discoverer to stop participating in the bounty program going forward. And since they are the one actually finding the vulnerabilities (and not the ninja), we absolutely want them to continue in the program, so as to ensure the most secure products that the vast majority of the world is using every day of their lives.
    edited July 2023 ravnorodomdavkillroyright_said_freddewmewatto_cobraStrangeDayswesternsky1
  • Reply 3 of 13
    jfabula1jfabula1 Posts: 138member
    Dont be caught Sleeping w the enemy
    killroywatto_cobra
  • Reply 4 of 13
    igorskyigorsky Posts: 759member
    Funny how all the blogs initially reported this as “Apple didn’t tell Google about a Chrome zero-day exploit”. 
    killroywatto_cobra
  • Reply 5 of 13
    killroykillroy Posts: 278member
    clexman said:
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    Wants the same trophy as the low life person that stole the report. FIFY.
    right_said_fredwatto_cobraStrangeDays
  • Reply 6 of 13
    chadbagchadbag Posts: 2,008member
    killroy said:
    clexman said:
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    Wants the same trophy as the low life person that stole the report. FIFY.
    Did you read the article?   Probably not as it clearly explains that that “low life” right out said they were not the discoverer, never claimed to be, but was at the contest and wanted to make sure the big was reported.  According to the article they were awarded the bounty despite protesting that they weren’t the discoverer.  How “low life” is that?

    Google, of course, is the culprit here.  Being evil
    instead of doing the right thing.   The “low life” mostly seems to have done the right thing. 
    watto_cobra
  • Reply 7 of 13
    dewmedewme Posts: 5,489member
    The Apple employee obviously did the right thing in this case. Unfortunately for them, by following a more rigid protocol and process for analyzing and reporting the bug he or she got beat to the punch by someone else for a number of reasons. It happens. It's also highly commendable that the person receiving the bounty admitted that they did not actually discover the bug but were merely submitting the bug report to make sure the appropriate response was initiated.

    Like Ranson mentioned, both parties did the right thing here. I hope they both continue to feel highly compelled to both search out bugs and report them in a timely manner. At the very least Google should send a thank you letter to the Apple employee for their sincere effort. Will this make up for the sting of a $10,000 loss? Probably not, but it is still a formal recognition for doing the right thing. It's not always about the money.

    Additionally, Google may get several submissions after the bounty has been paid out. I think everyone who submitted a qualifying report should get a thank you letter if for no other reason than to acknowledge their effort and to encourage them to keep at it. The more they submit the greater the probability that they will eventually be the one to collect the bounty. 

    Did Google do the right thing? Yes, I think they did, if for no other reason than for the sake of simplicity. Think about it. There are very many unreported vulnerabilities lurking in the wild. There has always been and will always be a non-zero probability that more than one bug hunter will stumble upon the same exact bug within the same relative time frame. Until a bug hunter brings the bug's pelt in to claim the bounty, it's anyones bounty to claim. The circumstances and processes under which each bug hunter prepares their pelt (bug report) for submission are individual variables and certainly nothing Google can control. 

    All Google can do is follow the terms they put in place, which is the first one in with a qualified report gets the bounty. 
    gatorguy
  • Reply 8 of 13
    What is stopping the person who received the bounty from handing the reward over to the person who actually discovered the bug?
    watto_cobraStrangeDaysgatorguy
  • Reply 9 of 13
    chasmchasm Posts: 3,380member
    Google should do the right thing and give the original discoverer $10K as well. It’s not like they can’t afford it, and that guy did a lot of work on it that the first reporter simply did not.

    This is the sort of thing that can turn a white hat into a black hat, but as we should all know by now Google isn’t really that interested in bugs unless it affects their ability to data-mine Chrome users.
    watto_cobra
  • Reply 10 of 13
    StrangeDaysStrangeDays Posts: 12,933member
    This read like a DED article. I was so happy to think we are rid of him, yet it seems he still works in the background.
    It doesn’t whatsoever. DED writes opinion pieces, and they’re quite lengthy. This was neither. 
  • Reply 11 of 13
    gatorguygatorguy Posts: 24,354member
    chadbag said:
    killroy said:
    clexman said:
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    Wants the same trophy as the low life person that stole the report. FIFY.
    Did you read the article?   Probably not as it clearly explains that that “low life” right out said they were not the discoverer, never claimed to be, but was at the contest and wanted to make sure the big was reported.  According to the article they were awarded the bounty despite protesting that they weren’t the discoverer.  How “low life” is that?

    Google, of course, is the culprit here.  Being evil
    instead of doing the right thing.   The “low life” mostly seems to have done the right thing. 
    Is there something preventing the one who reported it from giving it to the guy who discovered it but didn't make it important enough to report right away? I mean, wouldn't that be the right thing to do? No one, especially not Google, is forcing him to keep it. I think the evil tag you're trying to hang is misplaced. 
  • Reply 12 of 13
    chadbagchadbag Posts: 2,008member
    gatorguy said:
    chadbag said:
    killroy said:
    clexman said:
    The headline should be, "Person comes in 2nd, wants the same trophy as the person who came in 1st." Says, "Rules are not fair and shouldn't be followed."
    Wants the same trophy as the low life person that stole the report. FIFY.
    Did you read the article?   Probably not as it clearly explains that that “low life” right out said they were not the discoverer, never claimed to be, but was at the contest and wanted to make sure the big was reported.  According to the article they were awarded the bounty despite protesting that they weren’t the discoverer.  How “low life” is that?

    Google, of course, is the culprit here.  Being evil
    instead of doing the right thing.   The “low life” mostly seems to have done the right thing. 
    Is there something preventing the one who reported it from giving it to the guy who discovered it but didn't make it important enough to report right away? I mean, wouldn't that be the right thing to do? No one, especially not Google, is forcing him to keep it. I think the evil tag you're trying to hang is misplaced. 
    Of course you do.    And you’d be wrong. 

    Google had it spelled out to them (at least per the article) but refused to do anything to correct the issue.  

    While the recipient probably should pas it on, it’s probably not that easy as Google will issue him a 1099 at tax time and he’ll be responsible for the taxes on it. Or have to try and make a case to the IRS that he’s not, but his passing it on probably doesn’t absolve him from paying the taxes on it as the passing on would most likely be looked at as a gift and gifting rules would apply.  (I’m not a CPA or tax pro).  The “bookkeeping” makes it harder than it should be, I’m guessing. 
Sign In or Register to comment.