In August, I submitted a security report via the ASR(Apple Security Research Project). The report involves a vulnerability exploitable by malicious actors, potentially granting unauthorized access to Apple ID accounts.
On Aug 31, the Apple security team validated my report, Asking me to keep conversations confidential. They confirmed the issue’s resolution through a system change. Apple asked me to evaluate whether their fix worked and said it would give me credit and other potential rewards when I evaluated and confirmed the problem was resolved.
After I made the vulnerability assessment and confirmation, I heard nothing back. Until recently, I was informed that I was ineligible for credit or other recognition because Apple obtained the vulnerability from other sources.
When I pointed out their previous commitment and their specific policies, Apple modified our conversation record and webpage Fine Print, pretending It was me who hadn’t read it carefully.
This can be verified via the Wayback machine.
(Part of the image has been redacted because Apple still considers it confidential)
Delete this post now. Go talk to a pro bono lawyer.
Thank you for your advice. I will try to find legal assistance, but this post may be my only way to get a response from Apple.
No. The only way is the legal way. You DON’T want internet attention.
I’m a lawyer. Apple won’t care about your internet post (and may try to find a way to use it as evidence against you if you get into a legal dispute).
You should delete it and look into talking to a lawyer. Apple has already (allegedly) gaslighted you, so why would you posting this on a random internet forum change that?
Reach out to your school/university, a lot have legal/lawyer student resources. Maybe even more if your school has a legal major.
Good, I’m glad this happened to you
Should have sold it to Blackcube or something
Some don’t read so good:
(From the 10/31 way back page)
“Apple Security Bounty reward payments are made at Apple’s sole discretion and are based on the type of issue, the level of access or execution achieved, and the quality of the report.”
“Sole discretion” actually means something, sport.
With this post you’ve assured you will never be paid and may be sued.
Send a email to Tim Cook
I have already emailed Mr. Cook before but the email was forwarded to the security team. I will try to write a follow-up. Thanks for the suggestion.
I feel your pain…
A long time ago, I found a security flaw that allowed someone to completely take control of a Mac that was directly connected to the Internet with default settings. The funny thing is that I worked at a fairly major media company producing tech industry news at the time and could’ve broken this as a story as opposed to telling them confidentially to allow them to fix it before anyone was victimized.
And yet, nothing in terms of credit or compensation. Not even a thank you beyond acknowledging the issue was fixed.
On the plus side, they did patch the flaw which allowed me to feel safer.
I agree with others here. If you want to pursue this, delete this post and contact a lawyer. Or leave this post up as a way of venting and move on. For me, I knew people at Apple and of course could’ve produced a segment on the whole thing, but meh, I had other stuff going on.
I can understand why you’re upset, and as someone who has dealt with Apple Product Security myself, I think it and the Apple Security Bounty Program suck, especially in terms of communication, but this is how it often goes. Apple is a bureaucratic organization, and the left hand doesn’t know what the right hand is doing.
The people who are saying you should contact a lawyer are ignorant and full of crap. You’ll never win in a million years.
They put new terms on the bounty page so as not to give me credit.
That’s an extremely implausible and very self-centered conspiracy theory.
Apple modified our conversation record
What does that mean exactly?
You can verify it yourself via the Wayback machine. Wait for the web page to load, click on the service, and compare the current web page).
What exactly am I supposed to verify? I’ve looked at the two web pages, and I’m not seeing a smoking gun here. You should quote the relevant difference.
On November 13th, I pointed out that I was in compliance with Apple’s policies and asked them to clarify why they were not giving me credit.
On November 14, Apple’s security team cited “Issues eligible for public acknowledgment. "To refuse to give me credit. However, this paragraph did not exist before I brought it to the team’s attention.
On the same day, Apple deleted the following sentence from the communication records: “Please verify that the issue is addressed and let us know in the comments, if you haven’t already. After we receive your confirmation, we will credit you for this report.”