Ask HN: How do I make Apple pay up?

4 points by hgezim 3 years ago | 11 comments

On the 3rd of March, I happened on a severe security vulnerability on an Apple product. Immediately, I reported it to them via the Apple Security Research program.

In the initial report, I didn't know I could upload videos and I asked them if I can upload my video proof to YouTube (unlisted). They told me not to — presumably because they didn't want this to be public.

It took them until another 9 days (March 14th) to decide that this wasn't an issue. At that point the ticket got marked as "This is expected behavior."

I'm convinced that if this vulnerability is made public, Apple would change their mind about it's severity.

I'm not sure if I can share it, though, as they might use it as an excuse not to pay me a bounty. Thoughts on how to approach this?

PS: I asked them if I could post it publicity after they closed the ticket but haven't heard anything from them.

latexr 3 years ago |

Apple is notoriously stingy with bug bounties.¹ They also like to say “going to the press doesn’t help” when time and again it’s been shown they only react to bad press.

If the issue you found is “expected behaviour”, then there’s no harm in sharing it. Do it publicly while mentioning your timeline and their response. Let everyone else decide if it’s truly an issue or not. If they end up changing it, it becomes proof you found a legitimate problem. That doesn’t guarantee they’ll pay up, but they’ll get even more bad press if they don’t.

Apple has already indicated they don’t intend to pay you. By keeping the problem a secret you have no recourse and will continue not being paid. Unless you know someone at Apple which could make it happen, anything other than sharing the bug is a waste of your time and presumably harmful for users who won’t know of the problem and thus can’t protect against it.

¹ https://www.macrumors.com/2021/09/09/security-researchers-ap...

hgezim 3 years ago | |

Hey thanks for this take. Definitely feels like the approach I should take based on their behaviour.

Besides, what’s the harm in me discussing “intended behaviour”?

zamnos 3 years ago | | |

I recommend waiting the industry standard 90 days before volunteering intended behavior.

BrentOzar 3 years ago |

Talk to a few of your trusted peers about the effect (not the mechanics) of the vulnerability.

As in, "If you hand me your iPhone, I can unlock it without knowing your password." Don't tell them how, just describe in 1 sentence what access you need, and what you're able to do. If your trusted peers (not drinking buddies who do other jobs) are impressed, then widen the circle a little - tell strangers (like HN readers) that same thing, and ask if it's a vulnerability.

It'll just help you have a sanity check about whether or not it's actually a vulnerability that Apple needs to fix, or perhaps it's someone else's, or not really that big of a deal.

hgezim 3 years ago | |

Maybe I'm drinking my own koolaid here but I don't feel safe when I use this Apple device regularly.

How does Apple establish "prior art" if I go public with it? Can someone else claim credit for it?

BrentOzar 3 years ago | | |

> How does Apple establish "prior art" if I go public with it?

You're not going public with the HOW, only the effects. Reread my comment about asking your trusted peers, please.