Infosec researchers say Apple’s bug bounty program needs work

Cartoon worm in a cartoon apple.
Enlarge / If you don’t have good relationships with bug reporters, you may not be able to control the disclosure schedule.

The Washington Post reported Today, Apple’s relationship with third-party security researchers might need some additional tweaking. Specifically, Apple’s “bug bounty” program, a way that companies encourage ethical security researchers to responsibly find and disclose security issues with their products, seems less investigator-friendly and slower. to pay than the industry standard.

The Post says it interviewed more than two dozen security researchers who compared Apple’s bug bounty program to similar programs from competitors like Facebook, Microsoft and Google. Those investigators allege serious communication problems and a general lack of trust between Apple and the cybersecurity community. Its rewards are supposed to be attractive: “a bug bounty program where the house always wins,” according to Luta Security CEO Katie Moussouris.

Bad communication and unpaid rewards

Software engineer Tian Zhang seems to be a perfect example of the Moussouris anecdote. In 2017, Zhang reported a major security flaw in HomeKit, Apple’s home automation platform. Basically, the flaw allowed anyone with an Apple Watch take the control any HomeKit-managed accessories physically near them, including smart locks, as well as security cameras and lights.

After a month of repeated emails to Apple security with no response, Zhang enlisted Apple news site 9to5Mac to communicate with Apple PR – Zhang described they as “much more responsive” than Apple Product Security had been. Two weeks later, six weeks after initially reporting the vulnerability, the issue was finally fixed in iOS 11.2.1.

According to Zhang, his second and third bug reports were again ignored by Product Security, with no rewards paid or credit granted, but the bugs themselves were fixed. Zhang’s Apple Developer Program membership was revoked after the third bug was filed.

Despite granting

Despite granting “in-use only” permissions to the app, Brunner found that his app actually received permissions in the background 24/7.

Swiss application developer Nicolas Brunner had an equally frustrating experience in 2020. While developing an application for Swiss Federal Roadways, Brunner accidentally discovered a severe iOS location tracking vulnerability that would allow an iOS app to track users without their consent. Specifically, giving an app permission to access location data only while it is in the foreground actually grants permanent tracking access to the app 24/7.

Brunner reported the bug to Apple, which eventually fixed it in iOS 14.0 and even credited Brunner in the security release notes. But Apple hesitated for seven months about paying him a reward, eventually notifying him that “the reported issue and their proof of concept does not demonstrate the categories listed” for the reward. to pay. According to Brunner, Apple stopped responding to his emails after that notification, despite requests for clarification.

According to Apple’s own payments page, Brunner’s bug discovery would appear to easily qualify for a $ 25,000 or even $ 50,000 reward in the “User Installed Application – Unauthorized Access to Sensitive Data” category. This category specifically refers to “sensitive data normally protected by a CBT “, and the payments page then defines” sensitive data “to include” real-time or historical accurate location data, or similar user data, which the system would normally avoid. “

When asked to comment on the Brunner case, Apple’s head of security engineering and architecture, Ivan Krstić, told The Washington Post that “when we make mistakes, we work hard to correct them quickly, and we learn from them to quickly improve the Program”.

An unfriendly program

Vulnerability broker Zerodium offers substantial rewards for zero-day bugs, which it then resells to threat actors like Israel's NSO Group.
Enlarge / Vulnerability broker Zerodium offers substantial rewards for zero-day bugs, which it then resells to threat actors like Israel’s NSO Group.

Moussouris, who helped create bug bounty programs for both Microsoft and the US Department of Defense, told the Post that “you have to have a healthy internal bug-fixing mechanism before you can try to have a healthy bug-fix program. disclosure of bug vulnerabilities “. Moussouris went on to ask, “What do you hope will happen if [researchers] Report a bug that you already knew about but hadn’t fixed? Or if they report something that takes you 500 days to fix? “

One of those options is to skip a relatively hostile bug bounty program run by the vendor in question and sale instead, vulnerability to gray market intermediaries, where access to them, in turn, can be bought by threat actors such as Israel’s NSO Group. Zerodium offers rewards of up to $ 2 million for the most severe iOS vulnerabilities, with less severe vulnerabilities like Brunner’s location exposure bug in its “up to $ 100,000” category.

Former NSA research scientist Dave Aitel told the Post that Apple’s closed and secretive approach to dealing with security researchers hampers the overall safety of its product. “Having a good relationship with the security community gives you a strategic vision that goes beyond your product cycle,” Aitel said, adding that “hiring a group of smart people only takes you so far.”

Bugcrowd Founder Casey Ellis says companies should pay researchers when reported bugs lead to code changes that shut down a vulnerability, even if, as Apple told Brunner quite confusingly about its location bug, the reported bug does not meet the company’s strict interpretation of its guidelines. “The more good faith is maintained, the more productive the rewards programs will be,” he said.

A great success?

Apple’s own description of its bug bounty program is decidedly more optimistic than the incidents described above, and the reactions of the security community in general, seem to suggest.

Apple’s Director of Security Architecture and Engineering Ivan Krstić told the Washington Post that “the Apple Security Bounty program has been a resounding success.” According to Krstić, the company has nearly doubled its annual bug bounty pay and leads the industry in an average number of bounties.

“We are working hard to scale the program during its spectacular growth, and we will continue to offer the best rewards to security researchers,” continued Krstić. But despite Apple’s year-on-year increase in total reward payments, the company lags far behind rivals Microsoft and Google, which paid a total of $ 13.6 million and $ 6.7 million, respectively, in their reports. most recent annuals, compared to Apple’s $ 3.7 million. .

Leave a Reply

Your email address will not be published. Required fields are marked *