Developer feels 'robbed' by Apple's Security Bounty Program
source link: https://www.imore.com/developer-feels-robbed-apples-security-bounty-program
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
What you need to know
An iOS engineer by the name of Nicolas Brunner says they feel "robbed" by Apple after discovering a bug in iOS 13, only to be told their findings didn't qualify for the company's Security Bounty Program.
In a post to Medium Brunner shared a blog post that states "This is my personal story with the Apple Security Bounty program and why I believe it is a lie after reporting an issue, testing fixes and being left in the dark after 14 months."
Brunner claims that in March 2020 they found a way "to access a User's location permanently and without consent on any iOS 13 (or older) device". Brunner's report was accepted by Apple, corrected, and Brunner was even credited with the finding in iOS 14's security release notes. However, Brunner says they feel "robbed" by the company after being told the finding did not qualify them for a payout from Apple's Security Bounty Program:
The report got accepted and the issue was fixed in iOS 14 and I got credited on the iOS 14 security content release notes. However, as of today, Apple refuses any bounty payment, although the report at hand very clearly qualifies according to their own guidelines. Also, Apple refuses to elaborate on why the report would not qualify. So read this article with a pinch of salt, since as a long-time iOS developer I'm very disappointed with Apple's communication.
Brunner says Apple took 14 months to clarify they wouldn't be receiving a payment, an email received in May states "the issue has been reviewed for the Apple Security Bounty, and, unfortunately, it does not qualify." Brunner insists the finding does in fact fall under Apple's 'App access to sensitive data normally protected by a TCC prompt', which can pay out up to $100,000 to whoever discovers the issue.
Brunner stated in the post that they hope "the security bounty program turns out to be a win-win situation for both parties" but saw no reason at present "why developers like myself should continue to contribute to it."
Apple launched the most recent version of its Security Bounty Program in December of 2019, the program can pay out as much as $1.5 million if a developer finds an issue previously unknown to Apple, and its website further states "ll security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories."
iMore has reached out to Apple for comment on the story.
Apple claimed TV+ had less than 20M U.S. and Canada subs in July
A new report says that Apple claimed it had less than 20M U.S. and Canadian Apple TV+ subscribers in July, according to a union that represents behind-the-scenes production workers.
iPadOS 15 brings power user features, overall refinements, and more
iPadOS 15 is now out in the wild for anyone to download. After spending weeks with the beta versions, we're here to tell you all about it.
Apple Fitness+ added to UnitedHealthcare free of charge
Fully insured UnitedHealthcare members will soon get Apple Fitness+ at no extra cost as part of their membership for 12 months.
Keep it classy with a fine leather case for that iPhone 13
You already have a fine smartphone with the iPhone 13, why not dress it up with a fine leather case? Here we have the leather cases that will add a touch of luxury to your handset.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK