What happened to the Mac bug bounty program?

October 8 2019 by Jeff Johnson

On August 8 at the Black Hat 2019 conference, Apple announced that they were expanding their bug bounty program for security vulnerabilities. Apple's previous, limited bug bounty program was available only to Apple-selected security researchers, and it covered only iOS. The expanded bug bounty program would be open to anyone, and it would cover all of Apple's operating systems, including macOS.

Two months later, Apple has shipped major updates to all of their operating systems. Yesterday, macOS 10.15 Catalina was released. And yet, the new bug bounty program has not opened. Perhaps the public assumes that the bug bounty program has already expanded, but it has not. To this day, there's still no Mac bug bounty program. Apple announced the expanded bug bounty program while their major OS updates were still in beta testing, but Apple did not open the bug bounty program during the beta testing period. The irony is that the new program was announced to offer increased bounties for bugs found in pre-release software, but no opportunity was given for that to occur.

In the past month, I've personally discovered two different vulnerabilities in macOS. Both of these vulnerabilities still exist in macOS Catalina, which is now available to the public. I've been waiting for the Mac bug bounty program to open to report the bugs to Apple. Needless to say, I've not yet reported the bugs to Apple. I suspect that I'm not the only person sitting on Mac vulnerabilities, waiting for Apple to open the Mac bug bounty program. Apple had to know that this would happen when they made the announcement, so why did they preannounce and then fail to follow through? Did Apple not want to hear about their vulnerabilities?

I want to report my bugs to Apple, but I'm not going to do so until the Mac bug bounty program opens. I could really use the money, to be honest. I'm not wealthy. In fact, three years of indie development have turned me from comfortable into very uncomfortable. I know why I'm waiting, but what are you waiting for, Apple?

I emailed Apple Product Security on September 27 to ask whether my previously reported vulnerability would be eligible for the Mac bug bounty program. Apple Product Security has not replied to my email. If you've read Apple's security release notes for macOS 10.15 Catalina, you won't find my name in there. That's because the vulnerability has not been addressed, and it still exists in Catalina. If it's not eligible for a bug bounty, then I may have to disclose it publicly. I did not give Apple a deadline, but many security researchers give vendors only 90 days before they disclose a reported vulnerability. I reported mine to Apple 8 months ago, so they've had a lot of time.

I see what happened to AirPower and have to wonder if the same thing will happen here. Has the Mac bug bounty program been AirPowered?

Jeff Johnson (My apps, PayPal.Me)