Experiences with Apple Security Bounty
Since Apple started their Apple Security Bounty program I have submitted around 50 cases to their product security team. I thought I will share my experiences working with Apple in the past 2 years. This will be useful to anyone thinking about participating in the program, and will help setting up expectations.
Beyond Apple I do bug bounties also in other programs, like HackerOne, BugCrowd, VCP, ZDI or sometimes just working directly with vendors, so I have a good pool of other cases I can compare to.
I need to also highlight that I do BB as a hobby, beyond my primary work. It’s mainly because I think I wouldn’t easily handle the uncertainty that comes with making living out of these programs, and I also like doing other stuff.
Talking to other people who also participate in the program, we share the same experiences, so I can say that the below observations are universal.
With that let’s see what ASB has to offer.
I think the submission is smooth. When you send an email you are immediately assigned a case number and the process starts.
Or more like, “lack of communication”. When you submit a ticket, in a few days you receive an automated template that they are investigating, and please don’t disclose. They also state upfront, that they don’t provide status updates, you need to ask for it.
The issue is that even if you ask for an update, you don’t get any. Often times, it feels like I’m sending emails into a black hole. This is really frustrating. Even a reply like “we don’t have any update at the moment” would be nice, but often times that is also missed.
Sometimes they do reply, and the product security team replies more frequently than any other team at Apple I worked with. I guess this can be taken as a positive note, although there is room for improvement :) It seems from the outside, that there are less than 10 people who handle cases in the product security team. I’m not sure if they are overloaded, but if yes, Apple should definitely hire more people.
I think this communication problem is a systemic issue at Apple, as for example people don’t get any response to issues submitted via the Feedback application. Similarly when I worked with the developer entitlement team regarding my Shield app, I also never got replies.
My advise is that if you want to get updates, follow up frequently and eventually they will tell you what goes on.
On the fair side, if you don’t send any emails, and your issue is fixed and eligible for a bounty, they will notify you.
Time to Fix
This varies, but overall it takes a long time. If you are a person who is not willing to wait more than three months, it’s definitely not a program for you.
Although compared to many programs in H1 or BugCrowd, they are not an outlier here, but some cases can easily go over a year. Especially design issues, which are typically addressed only in the next major release (e.g.: macOS 12). I’m personally tracking 7 such cases.
I think Apple should improve a lot here.
Once the issue is fixed Apple will review the case and decide if it’s eligible for a bounty or not. I think this is the worse part of the whole process. This can take extremely long time, I have issues, which were fixed in the initial release of Big Sur (half year ago!) and a decision hasn’t been made yet. Unbelievable! I honestly don’t know what takes so much time. Considering how much money Apple has, this is truly an unfair behavior with researchers.
Apple will pay eventually if the issue is eligible, but why they sit on it for so long… who knows.
I think this is the part why you can’t rely on them for living, unless you have a buffer for a year or two. In that case it might work.
Sometimes, and it’s a mystery when it happens, Apple will pay a reward before the fix is rolled out to customers. I have no idea why and when they do it, but it’s still nice. Although it’s also rare: to me it only happened once.
In my experience bugs that give you more privileges in any form will be eligible for a bounty. In the contrary, issues that fall under more systemic or design problems in the operating system, are not. They do fix them, or work on them, but it not only takes extended amount of time, these issues are often considered non eligible. I think this should change, as fixing design issues improves the platform security more than a single vulnerability.
I think this is where Apple’s bounty program shines, and makes a huge difference from any other program, including most private programs on H1 or BugCrowd. I think Apple pays the best rewards in the whole industry. The reward amounts advertised in their website are not fake, someone can easily get tens of thousands of $$$$ for privacy bypasses or privilege escalation cases. They also truly pay a minimum amount of 5k$. Although I could never max out a reward for a specific bug category, you can get pretty close.
Once a decision has been made about the amount, this goes smoothly. They normally process the payment in a week or two, and you will receive it either at the end of that or the following month. No issues here at all.
You need to enroll in the Apple Developer program, and they will pay via their iTunes Connect platform. If you are not enrolled already they are happy to refund the 99$, which is needed for the enrollment.
I think Apple’s bounty program is bittersweet. The reward amount is definitely a huge plus, but the lack of communication, the long adjudication time can cause a lot of frustration. I think these things could be easily improved, and if done, the full program could offer a really nice experience.