<br>Apple Security Bounty is getting better, but the problems remain

Security researchers said the Apple bug bounty has shown signs of improvement in recent months, although some major weaknesses remain.

Apple Security Bounty (ASB), the tech giant's bug bounty program, launched to the public in 2019. Last fall, several security researchers told SearchSecurity about the challenges of working with the vendor; Their criticisms included inconsistencies in connectivity, denial of bug bounty payments, and "silent correction," referring to the seller's practice of fixing the bug without revealing the said vulnerability or giving credit to the researcher.

In response to these criticisms, Apple told SearchSecurity last fall that it is improving response times, further improving communication and offering new rewards to searchers.

Six months later, researchers said Apple's connectivity issues had improved significantly — especially early this year.

Connectivity improvements

Jose Rodriguez, the prolific researcher at ASB who is often credited with "videosdebarraquito," said Apple has grown more responsive in recent months — especially early this year.

Wojciech Reguła, a security researcher for iOS and macOS who previously spoke with SearchSecurity about Apple's bug bounty issues, had similar thoughts. He noted that last year there had been a "tremendous improvement".

“I sent six or so emails that day [to Apple] With status update requests, they responded to four in less than 12 hours. "I would say the situation changed at the beginning of 2022 - I think they hired more people."

Al-Qaeda chirp On March 22nd, he received a ruling on a recent vulnerability one week after it was fixed. For an earlier flaw, Reguła filed the vulnerability in June 2020, saw the vulnerability fixed in November, and the bounty was only awarded through a re-separation in November 2021.

An anonymous researcher using the Twitter address "08Tc3wBB," previously speaking as Reguła to SearchSecurity, said he's seen an overall improvement from the seller over the years. When Apple reported bugs in 2016 and 2017 (before the public launch of ASB), the only response he remembered was a "cold, harsh automated response message followed by months and months of silence."

This changed as of 2020, when Apple began sending an additional response shortly after the initial response message.

"It's basically an email telling you that someone from the Apple Product Security Team has reviewed your report, and that person's name is included. It feels a lot better than dealing with an auto-responder bot," 08Tc3wBB said in an email. "It's been like this ever since. I consider it an improvement that Apple has made in terms of communications."

Researcher Saurabh Sankhwar also noted some improvement in Apple's communications, but said that in his experience, the type of vulnerability will determine the quality of Apple's communications. This includes not only critical errors that take priority over less severe ones, but also the type of Apple product the error is being sent to.

“If there is an error associated with an Apple product such as an iPad or MacBook, you may get a response within 48 hours whether or not it is a valid error,” he said. "If you report a bug related to an Apple-owned website, you may have to wait a long time - two months - to get the first proper response from the team."

Sankhwar pointed out a vulnerability related to the website of Apple Inc's Claris. He said he sent the bug to Apple last May, was asked for credential information in February, and is still waiting for a payout.

Reguła also noted some variance in response, saying that high-risk errors get faster response times than low-severity errors.

He said, "I've had issues that Apple fixed very quickly with great connections, and at times I've had the opposite situation."

An example of bug bounty payment numbers from Apple's official website. Apple advertises some of the highest payouts among reward programs run by sellers.

Remaining pain points

Brandon Berry, a security researcher and principal research advisor at Atredis Partners, gave mixed reactions to Apple's bug bounty program. He said in mid-February Twitter theme It has not received any substantial updates for a number of vulnerability submissions in "weeks", despite repeated email requests for updates. He detailed the vulnerabilities, which were related to GarageBand and Logic Pro X, in a blog post.

In the blog, Perry said that he sent Apple 38 crashes and that two of them were eventually considered security-related CVEs (CVE-2022-22657 and CVE-2022-22664). The bug was originally submitted in December 2021, and Berry received an update from Apple shortly after making the Twitter thread. It was logged in a security update on March 14th.

"I felt like getting any information from Apple until the bugs were pushed into the fix was like pulling out a tooth," Perry told SearchSecurity. He said other programs, such as HackerOne and Bugcrowd, are "more responsive and interactive."

It felt like getting any info from Apple until the bugs were pushed into the fix was like having a tooth pulled out.

Brandon BerryPrincipal Research Consultant, Atredis Partners

Although he cited these issues as room for improvement, Perry said the four-month response time on 38 error submissions was an "excellent ratio of time to errors."

Despite improved call and response times, complaints about inconsistent patching seem to be an ongoing issue for Apple. For example, the company was recently criticized for its handling of the two zero-day patches recently: CVE-2020-22674 and CVE-2022-22675. Actively exploited flaws have been corrected in the company's macOS Monterey operating system as well as many iPhone and iPad models; However, the company has yet to offer similar patches for its Mac computers running macOS Catalina and Big Sur.

Rodriguez pointed to another persistent issue: low payments. Apple advertises some of the highest payments among vendor-run bug bounty programs, but Rodriguez said Apple often "cuts" vulnerability payments to a fraction of the numbers on Apple's website. In a recent example, he cited a vulnerability that had a low advertised return of $100,000 and a higher end of $250,000. He said the amount he would receive was $25,000 - a quarter of the minimum.

Another security researcher, who asked not to be identified, described Apple's revenue list as "not detailed enough." However, they said they sometimes received bonuses that were slightly larger than they expected, and that payments may vary based on the quality of the report and the impact of the vulnerability.

On the other hand, the researcher described a recent case where they reported an exploit chain to Apple and the vendor pushed the bugs individually instead of a booster reward recognizing the chain as a bigger problem.

Apple has not responded to SearchSecurity's request for comment as of press time.

Alexander Kulavi is a Boston-based writer, journalist, and podcaster.

from playing girls' or women's sports in public schools in colleges.

...