Infosec researchers say Apple’s bug bounty program wants work
Enlarge / If you don’t maintain good relationships with bug reporters, you may not be able to control the disclosure schedule.
The Washington Post reported today that Apple’s relationship with third-party security researchers could use some additional tweaking. In particular, Apple’s “Bug Bounty” program – a method that companies use to encourage ethical security researchers to find and responsibly disclose security issues in their products – appears to be less research-friendly and slower to pay than the industry standard.
The Post says it interviewed more than two dozen security researchers who compared Apple’s bug bounty program with similar programs at rivals like Facebook, Microsoft and Google. These researchers allege serious communication problems and an overall lack of trust between Apple and the infosec community in enticing their bounties – “a bug bounty program that the house always wins,” said Katie Moussouris, CEO of Luta Security .
Bad communication and unpaid bounties
Software engineer Tian Zhang seems a perfect example of Moussouris’ anecdote. In 2017, Zhang reported a serious vulnerability in HomeKit, Apple’s home automation platform. Essentially, the bug allowed anyone with an Apple Watch to physically take over all of the HomeKit-managed accessories near them – including smart locks, as well as security cameras and lights.
After a month of repeating Apple Security emails with no response, Zhang hired Apple news site 9to5Mac to contact Apple PR, which Zhang described as “much more responsive” than Apple Product Security. Two weeks later – six weeks after the vulnerability was first reported – the problem was finally resolved in iOS 11.2.1.
Zhang said his second and third bug reports were once again ignored by product safety with no bonuses being paid or credits granted – but the bugs themselves have been fixed. Zhang’s Apple Developer Program membership was revoked after submitting the third bug.
Although Brunner granted “in-use only” permissions to the app, he found that his app was in fact given 24/7 background permissions.
Swiss app developer Nicolas Brunner had a similarly frustrating experience in 2020. While developing an app for Swiss federal highways, Brunner accidentally discovered a serious iOS location tracking vulnerability that would allow an iOS app to track users without their consent. In particular, granting app authorization to access location data only in the foreground actually grants permanent 24/7 tracking access to the app.
Brunner reported the bug to Apple, which finally fixed it in iOS 14.0 and Brunner even credited it to the security release notes. But Apple hesitated seven months to pay him a bounty and eventually informed him that “the reported issue and your proof of concept do not show the categories listed” for the bounty payout. According to Brunner, Apple no longer responded to his emails after this notification, despite requests for clarification.
According to Apple’s own payout page, Brunner’s troubleshooting seems to easily qualify for a $ 25,000 or even $ 50,000 bounty in the “User-Installed App: Unauthorized Access to Sensitive Data” category. This category specifically refers to “sensitive data normally protected by a TCC prompt,” and the payout page later defines “sensitive data” to include “real-time or historical accurate location data – or similar user data – that normally would would be prevented by the system. “
When asked to comment on Brunner’s case, Ivan Krstić, Apple’s Head of Security Engineering and Architecture, told the Washington Post: “When we make mistakes, we work hard to correct them quickly and learn from them to do that Program to improve quickly. “
An unfriendly program
Enlarge / Vulnerability broker Zerodium offers substantial premiums for zero-day bugs, which it then resells to threat actors such as the Israeli NSO Group.
Moussouris – who helped develop bug bounty programs for Microsoft and the Department of Defense – told the Post that “you must have a healthy internal error correction mechanism in place before you can try to create a healthy bug disclosure program” . Moussoris continued, “What do you expect will happen when? [researchers] report a bug that you already knew but haven’t fixed yet? Or what if they report something that takes 500 days to fix? “
One such option is to bypass a vendor’s relatively unfriendly bug bounty program and instead sell the vulnerability to gray market brokers, who in turn can acquire access to them from threat actors like Israel’s NSO Group. Zerodium offers rewards of up to $ 2 million for the most serious iOS vulnerabilities – with less severe vulnerabilities such as Brunner’s location exposure bug in the “up to $ 100,000” category.
Former NSA research scientist Dave Aitel told the Post that Apple’s closed, clandestine approach to dealing with safety researchers hinders overall product safety. “Having a good relationship with the security community gives you a strategic vision that extends beyond your product lifecycle,” said Aitel, adding, “Hiring a bunch of smart people will only get you so far.”
Casey Ellis, founder of Bugcrowd, says companies should pay researchers if reported bugs cause code changes to fix a vulnerability, even if – as Apple Brunner put it quite confusingly about its location bug – the reported bug does not meet the company’s strict interpretation . . “The more good faith the more productive the bounty programs become,” he said.
A resounding success?
Apple’s own description of its bug bounty program is decidedly rosier than the incidents described above – and the reactions of the broader security community – suggest.
Ivan Krstić, head of Apple Security Engineering and Architecture, told the Washington Post that “the Apple Security Bounty program has been a huge success”. According to Krstić, the company has almost doubled its annual bug bounty payout and is the industry leader in the average bounty amount.
“We are working hard to scale the program as it grows dramatically and we will continue to offer top rewards to security researchers,” continued Krstić. But despite Apple’s year-over-year increase in total bounty payouts from Apple, the company lags far behind rivals Microsoft and Google, who paid out a total of $ 13.6 million and $ 6.7 million, respectively, in their most recent annual reports, compared to Apple’s $ 3.7 million.