Since 2016, Apple offer security bonuses for developers, researchers, or hackers who discover major security flaws in your software. Since are ranging from $ 25,000 to $ 1 million, depending on the nature and severity of the disclosed error.
A program in which Nicolas Brunner participated but which left him bitter about its operation and the way Apple treated its discovery. Developer of the Swiss Federal Railways, he ran into a bug related to geolocation, present in iOS 13 and that Apple has confirmed and corrected in iOS 14.
It is in March 2020, relates Brunner, who while working on a development that involved tracking geolocation by beacons, noticed abnormal iOS behavior. Your test app can continue to retrieve iPhone location even though the user expressly prohibits it when in the background.
On March 2, he contacted Apple’s security team providing all the information to reproduce this malfunction. On March 10, he received a response advising him that this problem was under study. Just 6 months later, on September 8 and 19, he was informed that the bug was normally connected to a beta version of the future iOS 14, he was asked to verify it, and that it would be accredited to find it on the security updates page.
Recognizing his contribution, Brunner took the opportunity to ask for a reward of l’Apple Security Bounty. A legitimate request since the problem affected the geolocation of the user by the system, a workhorse of Apple.
There follows a succession of email exchanges between October 2020 and May 2021 where it is explained that your application is being considered, then that the decision will not be delayed any longer and then … that your fault is not eligible for a bonus. From there, and despite the relaunches, Apple did not go ahead.
Ultimately, Apple felt that this bug affecting the improper retrieval of geolocation data by an app was not within the criteria for a reward. However, the list of vulnerabilities includes precisely the unauthorized access to so-called sensitive data, by applications installed by the user, and which manage to overcome the authorizations granted. That Apple rejects eligibility for a bonus may be justified, but in this case, the answer seems contradictory.
This category of errors can result in the payment of bonuses of $ 25,000, $ 50,000 or $ 100,000. Large amounts on an individual scale, but modest for Apple.
Enough to leave Nicolas Brunner thoughtful and especially upset by this experience. In view of this exchange, which will have taken place over more than a year and with what came out of it, he does not see any incentive to repeat the experience: “ I feel like I’ve been robbed “He writes” I don’t see why a developer would bother to create a demo app, write the source code, exchange multiple emails, and test the solution in beta. As for me, they won’t accept me ».