Still no credit from Apple Product Security

February 8, 2019

By Jeff Johnson

I found a bug in the new privacy protections of macOS 10.14.0, and that bug was fixed in macOS 10.14.1. I've already described the bug in a previous blog post. I support the requests for a Mac bug bounty program by security researchers such as Linuz Henze and Patrick Wardle, but I personally am not asking for a monetary bug bounty and never have asked for money in exchange for the bug report. (Though a bug bounty would be nice!) All I want is public credit for reporting the bug. To date, Apple Product Security has failed to credit me.

Below is a timeline of events related to the bug. All dates are in 2018; nothing new has happened in 2019.

September 24: macOS 10.14.0 was released to the public. I discovered the bug on that day and emailed a report to Apple Product Security. I received both automated and personal responses from Apple Product Security acknowledging the receipt of the bug report.

September 26: I emailed some additional technical information to Apple Product Security, and they replied thanking me.

October 30: macOS 10.14.1 was released to the public, and a support article was posted, as is standard for security updates. I emailed Apple Product Security.

"Could I please get an update on this issue? It seems like macOS 10.14.1 may have fixed it, but I don't see anything in the release notes:"

November 1: Apple Product Security replied.

"Thank you for bringing this to our attention. We're looking into this and hope to have an update for you soon."

November 14: I emailed Apple Product Security again asking for an update.

November 30: Apple Product Security finally replied.

"I apologize for the delay in getting back to you. I am looking into this and will have an update for you this coming Monday."

December 3: Apple Product Security emailed.

"We have addressed this issue with macOS Mojave 10.14.1, and will be updating our advisories to include your information. I apologize that you were not credited initially. Would you please let us know if you would like to be credited, and the information you would like us to use? The information is typically in the following format: [Person] of [Company or School or Agency]"

December 4: I replied.

"Thank you. I'd like to be credited as Jeff Johnson of"

December 5: Apple Product Security replied.

"I will let you know once that update has been made and your information has been posted on that advisory."

December 21: Apple updated the support article with some unspecified changes, as indicated by "Published Date: December 21, 2018". However, no reference to my bug was added.

I could continue to pester Apple Product Security by email, but I don't feel like it. I shouldn't have to. I shouldn't have to do anything except report the bug, which I did. I can accept that a mistake was made when my bug was not credited along with all of the others on October 30. What I cannot accept is that it takes more than 3 months to fix the mistake and simply update a web page on their site.

On a tangentially related note, the scam apps in the App Store that I blogged about previously are still in the App Store today. I also reported these apps to Apple Product Feedback. I'm not sure if that's where you're supposed to report App Store scams. Should you email Apple Product Security? Who knows. Why isn't there a clearly identified place to report App Store scams to Apple?