Apple's crippled bug bounty program makes us all less safe online
Paying people when they report serious security issues with macOS and iOS is a good idea but two years on, it's still only done in a half-hearted, miserly way. That's damaging for Apple and it's damaging for us.
There are problems that you cannot find in beta testing but which the millions of people using your products will ultimately spot.
Apple has some of the smartest and most experienced experts searching for problems in its software -- and most of them don't work for the company. Somebody, somewhere will find a problem, and the only question is what they will do with that information.
Right now, Apple has a program to discourage them from coming forward.
That's not how it's meant to be. Officially, Apple has had what it calls a bug bounty program since 2016 -- and it should be simple. If you find a serious bug in Apple's software, the company will pay a reward. That's it. Yes, there are going to be issues over whether you found it first but admin aside, it's straightforward.
Yet, we're three years into the bug bounty and this week Apple made television news by -- shock -- actually paying it out. And perhaps they only did so because of that news reporting.
People found a bug and reported it to Apple, who fixed it and said thank you. That is what happened and if it had happened in that sequence, if it had been even roughly a straight line through that process, we wouldn't be thinking about it. And, what's much more important, anyone else who finds a bug would go straight to Apple like we want them to. All credit to Apple for fixing this issue and definitely all credit to the company for creating this bug bounty program.
Only, it's as if the people who created the program are in a different office to the ones who are supposed to pay out.
Apple acts as if this bug bounty is an imposition on them, and the accounts department acts as if the amount is going to bankrupt the company. You don't get to become the world's most profitable company by casually spending money, but look at the numbers. The bug bounty is supposed to pay out between $25,000 and $200,000 and even in the short term, Apple's surely lost that in bad PR.
If this had gone another way, if Apple had accepted the bug report, acted on it right away and announced in a more timely fashion that it would pay for the kid's college education as a thank you, the company would be a star. Yes, everyone capable would be leaping on the bandwagon and trying to find a bug to tell Apple -- but that is precisely what they should want.
It's not that we want everybody to love Apple, it's that we want everybody who finds a bug to unhesitatingly take it straight to the company.
And, the researcher isn't sharing the specific details with Apple, beyond a demonstration of the fact that it works -- because of the obtuse bug bounty program. It sure would be better if Apple had all the details here. Certainly, the researcher is holding out which is part of the problem, but the reason why it is being held back is pretty telling.
Make it clear that telling Apple is the best thing -- and stop hiding how to even do this reporting. Right now, you will have difficulty finding out where to find this bug bounty program. Go ahead, search the Apple website for how you do it.
Maybe you thought about it for a sec and decided that apple.com wasn't the right place, you should search support.apple.com instead. Doesn't matter. No difference.
You'd think it would come up with something
Unless you spend your time figuring out synonyms for bugs and problems -- forget bounty, money, reward -- then the only way to find out how to report a bug is via a Google search. If you instead go to google.com and search "bug bounty at apple.com" then you'll find it.
Or rather, you'll find a Support page called Contact Apple about Security Issues. There's a section for Customers which doesn't mention anything to do with this. There's a section for Developers which tells them to report issues via the regular Apple Developer Connection program that they all have to be enrolled in.
Then, finally, there's a section headed Security and privacy researchers and they are told they can email [email protected] if they want to. That's apparently the one you need but you could fool us because Apple doesn't say so here, it doesn't say so anywhere.
We're fine with it being difficult to find bad people to sell your bug to, and easy to sell it to Apple. Apple shouldn't be making it as hard to find the good people.
We do not and probably will never know how much money Apple has paid to the discover of this Group FaceTime bug. We also can't actually put a price on how much damage its penny-pinching denial process has cost it this time. Terrible headlines are still popping up all across the internet and social media, despite Apple having already fixed the problem.
It follows, then, that we can't really put a dollar figure on what this means next. You can put too much weight on a single incident but when it's the only incident being talked about, when it's the only incident that makes the news, then it's the one that will be remembered first.
So what we learn from this single incident is that Apple has a bug bounty program but it doesn't want you to know about it. We learn that Apple doesn't really want you to report bugs and it truly does not want to pay out.
And the next time someone finds a serious bug, that could cost Apple -- and us all -- a lot more than between $25,000 and $200,000.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
There are problems that you cannot find in beta testing but which the millions of people using your products will ultimately spot.
Apple has some of the smartest and most experienced experts searching for problems in its software -- and most of them don't work for the company. Somebody, somewhere will find a problem, and the only question is what they will do with that information.
Right now, Apple has a program to discourage them from coming forward.
That's not how it's meant to be. Officially, Apple has had what it calls a bug bounty program since 2016 -- and it should be simple. If you find a serious bug in Apple's software, the company will pay a reward. That's it. Yes, there are going to be issues over whether you found it first but admin aside, it's straightforward.
Yet, we're three years into the bug bounty and this week Apple made television news by -- shock -- actually paying it out. And perhaps they only did so because of that news reporting.
Good Apple
Apple has done the right thing. It's not only paid some money for the discovery, it's fixed the problem and its release notes credit the people who found it.People found a bug and reported it to Apple, who fixed it and said thank you. That is what happened and if it had happened in that sequence, if it had been even roughly a straight line through that process, we wouldn't be thinking about it. And, what's much more important, anyone else who finds a bug would go straight to Apple like we want them to. All credit to Apple for fixing this issue and definitely all credit to the company for creating this bug bounty program.
Only, it's as if the people who created the program are in a different office to the ones who are supposed to pay out.
Apple acts as if this bug bounty is an imposition on them, and the accounts department acts as if the amount is going to bankrupt the company. You don't get to become the world's most profitable company by casually spending money, but look at the numbers. The bug bounty is supposed to pay out between $25,000 and $200,000 and even in the short term, Apple's surely lost that in bad PR.
If this had gone another way, if Apple had accepted the bug report, acted on it right away and announced in a more timely fashion that it would pay for the kid's college education as a thank you, the company would be a star. Yes, everyone capable would be leaping on the bandwagon and trying to find a bug to tell Apple -- but that is precisely what they should want.
It's not that we want everybody to love Apple, it's that we want everybody who finds a bug to unhesitatingly take it straight to the company.
Holding out in protest
Also in February, a researcher has demonstrated a new Keychain exploit, that given the right circumstances will allow a persistent and focused attacker to extract your passwords from the Keychain. It isn't so simple that the passwords are downloaded to miscreants when a bad ad is displayed, but it is a vector of attack nonetheless.And, the researcher isn't sharing the specific details with Apple, beyond a demonstration of the fact that it works -- because of the obtuse bug bounty program. It sure would be better if Apple had all the details here. Certainly, the researcher is holding out which is part of the problem, but the reason why it is being held back is pretty telling.
Not an insurmountable problem
Nobody wants Apple to look like it's alternately in denial and penny-pinching, but it does. Nobody on the side of the angels wants people who find bugs to think it's just easier to sell it to someone who'll exploit a macOS or iOS vulnerability.Make it clear that telling Apple is the best thing -- and stop hiding how to even do this reporting. Right now, you will have difficulty finding out where to find this bug bounty program. Go ahead, search the Apple website for how you do it.
Maybe you thought about it for a sec and decided that apple.com wasn't the right place, you should search support.apple.com instead. Doesn't matter. No difference.
You'd think it would come up with something
Unless you spend your time figuring out synonyms for bugs and problems -- forget bounty, money, reward -- then the only way to find out how to report a bug is via a Google search. If you instead go to google.com and search "bug bounty at apple.com" then you'll find it.
Or rather, you'll find a Support page called Contact Apple about Security Issues. There's a section for Customers which doesn't mention anything to do with this. There's a section for Developers which tells them to report issues via the regular Apple Developer Connection program that they all have to be enrolled in.
Then, finally, there's a section headed Security and privacy researchers and they are told they can email [email protected] if they want to. That's apparently the one you need but you could fool us because Apple doesn't say so here, it doesn't say so anywhere.
Smarts
If you're clever enough to find a bug, you're smart enough to eventually find the bug bounty program. There's also a good chance that you're smart enough to know that there is good money to be had from the kind of people you don't ever want to have access to bugs.We're fine with it being difficult to find bad people to sell your bug to, and easy to sell it to Apple. Apple shouldn't be making it as hard to find the good people.
We do not and probably will never know how much money Apple has paid to the discover of this Group FaceTime bug. We also can't actually put a price on how much damage its penny-pinching denial process has cost it this time. Terrible headlines are still popping up all across the internet and social media, despite Apple having already fixed the problem.
It follows, then, that we can't really put a dollar figure on what this means next. You can put too much weight on a single incident but when it's the only incident being talked about, when it's the only incident that makes the news, then it's the one that will be remembered first.
So what we learn from this single incident is that Apple has a bug bounty program but it doesn't want you to know about it. We learn that Apple doesn't really want you to report bugs and it truly does not want to pay out.
And the next time someone finds a serious bug, that could cost Apple -- and us all -- a lot more than between $25,000 and $200,000.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
Comments
As we approach the era of vehicle autonomy, bug-catching becomes more and more of a concern -- in terms of physical safety, even more important than desktop computer bug-finding. In more recent car models, Toyota has chosen to add a digital gateway and shutout most access via the car's OBD plug in an attempt to prevent third party CAN bus accessories from potentially causing problems, but also making it harder to find or trigger a bug in Toyota's firmware. Japanese car manuals that come with cars here in Japan specifically say not to connect anything to the OBD plug, and Toyota has instructed their dealers in Japan not to carry any third party devices that digitally communicate via OBD. The same car manuals in English that come with the same cars in the US don't yet say that about the OBD, probably due to the Magnuson-Moss Warranty act which allows car owners to add devices to the car without invalidating car warranties. All said, Toyota actually paying people for finding bugs today is a laughable thought. It would be wonderful if they would simply be less aggressive toward bug finders. But if Nissan and Carlos Ghosn can serve as an example, daring to think different at an automaker can actually land one in hot water.
Squabbling over precise dollar amounts is silly. We should be thankful bug bounties even exist.
That's not how big companies work, though, unfortunately. Often these kind of things are departments under departments. They all have their own budgets and hard profitability or are assigned some 'value.' Bug bounties are probably some line item of some aspect of software development, or QC or something, and that department is trying to 'balance the budget' or something like that.
As a friend, high-up in a Fortune 100 used to say... big company = stupid. It's almost comical sometimes how poorly they do certain things, or how obvious some of their mistakes are. But, like a train, they also have a ton of momentum... so they can get away with it, or weather it.
Its also important to note that Apple must write its software in a way that exploits (of important parts of the security of the system) are impossible.
Its a common mistake to think that cannot be done. The mistakes (root exploits) I have seen are all based on the use of programming languages without inherent security (C, objective C) and would simply not have existed when implemented in swift.
Its Apples resposibilty to rewrite MacOS security frameworks and core OS (including its Unix subsystem) to make MacOS secure again.