Infosec researchers say Apple’s bug-bounty program needs work

The Washington Post reported earlier today that Apple’s relationship with third-party security researchers may need further adjustments. Specifically, Apple’s “bug bounty” program, a way for companies to encourage ethical security researchers to responsibly find and disclose security issues with its products, appears less researcher-friendly and more slow to pay than the industry standard.

The Post says it polled more than two dozen security researchers who compared Apple’s bug bounty program with similar programs at competitors such as Facebook, Microsoft and Google. These researchers allege serious communication problems and a general lack of trust between Apple and the infosec community that its bounties are supposed to attract – “a bug bounty program where the house always wins,” according to Katie Moussouris, CEO of Luta Security.

Poor communication and unpaid premiums

Software engineer Tian Zhang seems to be a perfect example of Moussouris’ anecdote. In 2017, Zhang reported a major security breach in HomeKit, Apple’s home automation platform. Essentially, the flaw allowed anyone with an Apple Watch to support all HomeKit-managed accessories physically nearby, including smart locks, as well as security cameras and lights.

After a month of repeated emails to Apple security unanswered, Zhang took to Apple news site 9to5Mac to contact Apple PR, which Zhang described as “much more responsive” than Apple product security. . Two weeks later, six weeks after the vulnerability was initially reported, the issue was finally resolved in iOS 11.2.1.

According to Zhang, his second and third bug reports were again ignored by Product Security, with no bounties paid or credit given, but the bugs themselves have been fixed. Zhang’s membership in the Apple Developer Program was revoked after the third bug was submitted.

Equally frustrating was the experience of Swiss app developer Nicolas Brunner in 2020. While developing an app for Swiss Federal Roads, Brunner accidentally discovered a severe iOS location vulnerability that would allow an iOS app to track users without their consent. Specifically, granting an app permission to access location data only when it’s in the foreground actually grants 24/7 tracking access to the app.

Brunner reported the bug to Apple, who eventually fixed it in iOS 14.0 and even credited Brunner in the security release notes. But Apple hesitated for seven months to pay him a bounty, eventually notifying him that “the reported problem and your proof of concept do not demonstrate the categories listed” for the premium payment. According to Brunner, Apple stopped responding to his emails after this notification, despite requests for clarification.

According to Apple’s own checkout page, Brunner’s bug find would seem to easily qualify for a bounty of $ 25,000 or even $ 50,000 in the “User Installed Application: Unauthorized Access to Sensitive Data” category. “. This category specifically refers to “sensitive data normally protected by a TCC prompt,” and the payments page later defines “sensitive data” to include “accurate real-time or historical location data – or similar user data -” that would normally be prevented by the system. “

When asked to comment on Brunner’s case, Ivan Krstić, head of engineering and security architecture at Apple, told the Washington Post that “when we make mistakes, we work hard to correct them quickly and learn from them to quickly improve the program “.

A hostile program

Moussouris, who helped create bug bounty programs for Microsoft and the US Department of Defense, told the Post that “you need to have a healthy internal bug-fixing mechanism before you can try to have a healthy bug vulnerability disclosure program “. Moussoris went on to ask “what do you think will happen if [researchers] report a bug that you already knew but had not corrected? Or if they report something that takes you 500 days to fix? “

One of those options is to bypass a relatively hostile bug bounty program run by the vendor in question and sell the vulnerability to gray market brokers instead, where access can in turn be purchased by vendors. threat actors such as the Israeli group NSO. Zerodium is offering bounties of up to $ 2 million for the most severe iOS vulnerabilities, with less severe vulnerabilities like Brunner’s location exposure bug in its “up to $ 100,000” category.

Former NSA researcher Dave Aitel told the Post that Apple’s closed and covert approach to dealing with security researchers hampers the overall safety of its products. “Having a good relationship with the security community gives you a strategic vision that goes beyond your product cycle,” Aitel said, adding that “hiring a bunch of smart people won’t get you far. “.

Bugcrowd founder Casey Ellis says companies should pay researchers when reported bugs lead to code changes that close a vulnerability, though, as Apple rather confusedly told Brunner about its bug of localization, the reported bug does not meet the company’s own strict interpretation of its guidelines. . “The more good faith continues, the more productive the bonus programs will be,” he said.

A dazzling success?

Apple’s own description of its bug bounty program is significantly more optimistic than the incidents described above – and reactions from the broader security community – seem to suggest.

Apple’s director of security engineering and architecture, Ivan Krstić, told the Washington Post that “the Apple Security Bounty program has been a huge success.” According to Krstić, the company has nearly doubled its annual bug bounty payout and leads the industry in average bounties.

“We are working hard to evolve the program during its spectacular growth, and we will continue to provide the best rewards to security researchers,” continued Krstić. But despite the year-over-year increase in total premiums paid by Apple, the company lags far behind rivals Microsoft and Google, which paid out totals of $ 13.6 million and $ 6.7 million. dollars respectively in their last annual reports, against 3.7 million dollars for Apple.