HackerSource: iMore

What you need to know

  • A developer by the name of Nicolas Brunner says they feel robbed by the company's security bounty program.
  • Brunner discovered a flaw in iOS 13 and was left in the dark by Apple for 14 months.
  • The company finally got back to him, only to let him know he didn't qualify for a payment.

An iOS engineer by the name of Nicolas Brunner says they feel "robbed" by Apple after discovering a bug in iOS 13, only to be told their findings didn't qualify for the company's Security Bounty Program.

In a post to Medium Brunner shared a blog post that states "This is my personal story with the Apple Security Bounty program and why I believe it is a lie after reporting an issue, testing fixes and being left in the dark after 14 months."

Brunner claims that in March 2020 they found a way "to access a User's location permanently and without consent on any iOS 13 (or older) device". Brunner's report was accepted by Apple, corrected, and Brunner was even credited with the finding in iOS 14's security release notes. However, Brunner says they feel "robbed" by the company after being told the finding did not qualify them for a payout from Apple's Security Bounty Program:

The report got accepted and the issue was fixed in iOS 14 and I got credited on the iOS 14 security content release notes. However, as of today, Apple refuses any bounty payment, although the report at hand very clearly qualifies according to their own guidelines. Also, Apple refuses to elaborate on why the report would not qualify. So read this article with a pinch of salt, since as a long-time iOS developer I'm very disappointed with Apple's communication.

Brunner says Apple took 14 months to clarify they wouldn't be receiving a payment, an email received in May states "the issue has been reviewed for the Apple Security Bounty, and, unfortunately, it does not qualify." Brunner insists the finding does in fact fall under Apple's 'App access to sensitive data normally protected by a TCC prompt', which can pay out up to $100,000 to whoever discovers the issue.

Brunner stated in the post that they hope "the security bounty program turns out to be a win-win situation for both parties" but saw no reason at present "why developers like myself should continue to contribute to it."

Apple launched the most recent version of its Security Bounty Program in December of 2019, the program can pay out as much as $1.5 million if a developer finds an issue previously unknown to Apple, and its website further states "ll security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories."

iMore has reached out to Apple for comment on the story.