Questions about the Apple Security Bounty

January 13 2020 by Jeff Johnson

I'm not a professional security researcher, I'm just an app developer. I don't know how security bounty programs work, as I've never participated in one until now. On August 8 at the Black Hat 2019 conference, Apple announced an expansion of their bounty program for security vulnerabilities. The previous, limited bounty program was by invitation only, and it covered iOS only, whereas the expanded bounty program would be open to anyone and cover all of Apple's operating systems, including macOS. I have over a decade of experience in Mac development, and I've discovered several security issues in macOS during that time, so Apple's announcement of a bounty program inspired me to look for more. Within a couple of months — before the release of macOS 10.15 Catalina on October 7 — I found a couple of issues to report.

Curiously, the Apple Security Bounty program did not open before the release of macOS 10.15 or iOS 13. In fact, it didn't open until the evening of Thursday December 19, a few days before Christmas. The terms and conditions of the Apple Security Bounty are available on Apple's web site. The most important question for me was, how soon would I get paid a bounty? Unfortunately, the terms and conditions said nothing about the timeline of payments. Despite my lack of information about this, I felt compelled to submit my reports as soon as possible anyway, because Apple stated that only "the first party to report the issue to Apple Product Security" is eligible for a bounty, so I was afraid that I might lose out to someone else who reported the same issues. Besides, I never had any intention to withhold the reports from Apple. Indeed, I would have reported my issues in September if the Apple Security Bounty program had been open back then.

On December 20, after receiving acknowledgement of my vulnerability reports, I emailed Apple Product Security requesting details about the bounty payment process. On January 5 they replied with the following information: "Eligible reports are usually awarded after the release of a security update which addresses the issue. If an issue reported qualifies, we will send a follow-up email with the relevant information regarding the adjudicated amount." I don't feel there's anything wrong with my publishing this response, because I'm merely trying to clarify the already public terms and conditions of a program open to everyone in the public, so shouldn't everyone know how it works?

Here's the problem, though. What happens if a reported issue is not addressed for a very long time: 9 months, 12 months, or even more? Does Apple refuse to pay the bounty during that time? This is a real problem, not merely theoretical. For example, in October 2019 I publicly disclosed a macOS privacy protections bypass that I had reported to Apple privately back in February 2019. This issue has never been fixed, and remains in the latest version of macOS almost a year after I reported it to Apple. The Apple Security Bounty eligibility rules also state that researchers must "Not disclose the issue publicly before Apple releases the security advisory for the report". As discussed recently by Google Project Zero, it's common industry practice to disclose reported vulnerabilities after 90 days, but the rules of the Apple Security Bounty could force vulnerability reporters to remain silent indefinitely, which is unacceptable.

I wrote a follow-up email to Apple Product Security asking about the problem of unaddressed vulnerabilities. I hope that Apple has a good solution to this problem, and that Apple's intention is not just to keep vulnerabilities a secret for as long as possible by dangling a bounty in front of the reporters. The point of a bounty program should be to find the vulnerabilities, not to hide the vulnerabilities, which is why timely payment of the bounties, as well as timely disclosure of the vulnerabilities, is essential.

Jeff Johnson (My apps, PayPal.Me)