<br>Apple Security Bounty is getting better, but problems persist

Security researchers said Apple's bug bounty program has shown signs of improvement in recent months, but some major woes remain.

The tech giant's bug bounty program, Apple Security Bounty (ASB), went public in 2019. Last fall, several security researchers told SearchSecurity about the difficulties of working with the vendor; Among its criticisms were communication inconsistencies, denial of bug bounty payments, and "silent patching", which referred to a vendor's practice of fixing a bug without disclosing the vulnerability in question or crediting the researcher.

In response to these criticisms, Apple told SearchSecurity last fall that it is working to improve response times, further improve communications, and offer new rewards for researchers.

Six months later, researchers said Apple's communication problems had improved significantly, especially earlier this year.

Communication improvements

Jose Rodriguez, a prolific ASB researcher often known by the title "videosdebarraquito", said that Apple has become more responsive in recent months - especially earlier this year.

iOS and macOS security researcher Wojciech Reguła, who previously spoke to SearchSecurity about Apple's bug bounty issues, had similar sentiments. He noted that he saw "big improvement" in the past year.

"I sent six or more emails today [to Apple] They responded with status update requests and four in less than 12 hours.”

Rule tweeted out On March 22, it reported that it was prosecuted for a recent vulnerability, a week after it was fixed. For an earlier flaw, Reguła submitted the vulnerability in June 2020, saw the vulnerability fixed in November, and the award was only re-decided in November 2021.

An anonymous researcher with the Twitter username "08Tc3wBB" and who, like Reguła, previously spoke to SearchSecurity, said he has seen overall improvement from the seller over the years. When he reported bugs to Apple in 2016 and 2017 (before ASB went public), the only response he remembered was a "cold, harsh auto-reply message followed by months of silence."

This has changed starting in 2020, when Apple will begin sending an additional reply shortly after the initial reply message.

"Basically, it's an email letting someone from the Apple Product Security Team review your report and that person's name is included. It feels so much better than messing with the auto-reply bot," 08Tc3wBB said in an email. "It's been like that ever since. I see it as an improvement Apple has made in terms of communications."

Researcher Saurabh Sankhwar has similarly made some improvement in Apple's communications, but said in his own experience the type of vulnerability will determine the quality of Apple's communications. This includes not only critical errors that take precedence over less critical ones, but also the type of Apple product to which a bug was submitted.

"If an error is related to an Apple product such as an iPad or MacBook, you can get a response within 48 hours, whether it's a valid error or not," he said. "If you report a bug with an Apple website, you may have to wait a long time - two months - to get the first appropriate response from the team."

Sankhwar cited a vulnerability with the website of Apple's subsidiary Claris. He said he submitted the bug to Apple last May, requested credit information this February, and is still waiting for a reward payment.

Reguła also noted that there were some differences in responsiveness, saying that high-severity errors had faster response times than low-severity errors.

"I've had issues that Apple fixed really quickly with great communication," he said, "and sometimes I've had the opposite."

Example bug bounty payout figures from Apple's official website. Apple advertises some of the highest payouts among vendor-run bug bounty programs.

Remaining pain points

Brandon Perry, security researcher and principal research advisor at Atredis Partners, received mixed feedback for Apple's bug bounty program. said in mid-February Twitter series Despite repeated email requests for updates, it said it had not received any major updates in "weeks" for a series of vulnerabilities notices. He detailed vulnerabilities related to GarageBand and Logic Pro X in a blog.

On the blog, Perry said he has submitted 38 crashes to Apple, and two of them were eventually recognized as security-related CVEs (CVE-2022-22657 and CVE-2022-22664). The bugs were first submitted in December 2021, and Perry received an update from Apple shortly after the Twitter thread was created. Credited with the March 14 security update.

"Until the bugs were fixed, getting any information from Apple was like pulling teeth," Perry told SearchSecurity. Other programs like HackerOne and Bugcrowd are "more responsive and interactive," he said.

Until the bugs were fixed, getting any information from Apple was like pulling teeth.

Brandon PerryPrincipal research consultant, Atredis Partners

Perry said that a four-month turnaround time on 38 error submissions was an "excellent error time rate," although he pointed out that these issues are areas for improvement.

Despite improved communication and response times, complaints about inconsistent patching seem to be an ongoing issue for Apple. For example, the company was recently criticized for processing two zero-day patches: CVE-2020-22674 and CVE-2022-22675. Actively exploited flaws were patched on various iPhone and iPad models, as well as the company's macOS Monterey operating system; However, the company has yet to offer similar patches to Mac computers running macOS Catalina and Big Sur.

Rodriguez pointed to another ongoing problem: low payouts. Apple advertises some of the highest payouts among vendor-run bug bounty programs, but Rodriguez said that Apple will usually make vulnerability payments "low" to a fraction of the sample figures on Apple's website. In a recent example, he cited a vulnerability with an advertised low end of $100,000 and a high end of $250,000. He said the payout he would receive was $25,000—a quarter of the lower limit.

Another security researcher, who asked to remain anonymous, similarly described Apple's payment list as "not detailed enough". However, they said they sometimes get slightly larger rewards than they expected, and payouts can vary based on report quality and vulnerability impact.

On the other hand, the researcher described a recent case where they reported a chain of exploits to Apple and the vendor paid for the bugs one by one, rather than an enhanced bounty acknowledging the chain as a bigger issue.

Apple did not respond to SearchSecurity's request for comment at press time.

Alexander Culafi is an author, journalist, and podcaster based in Boston.

from playing girls' or women's sports in public schools in colleges.

...