In August, I submitted a security report via the ASR(Apple Security Research Project). The report involves a vulnerability exploitable by malicious actors, potentially granting unauthorized access to Apple ID accounts.

On Aug 31, the Apple security team validated my report, Asking me to keep conversations confidential. They confirmed the issue’s resolution through a system change. Apple asked me to evaluate whether their fix worked and said it would give me credit and other potential rewards when I evaluated and confirmed the problem was resolved.

After I made the vulnerability assessment and confirmation, I heard nothing back. Until recently, I was informed that I was ineligible for credit or other recognition because Apple obtained the vulnerability from other sources.

When I pointed out their previous commitment and their specific policies, Apple modified our conversation record and webpage Fine Print, pretending It was me who hadn’t read it carefully.

https://imgur.com/a/N9cX3oH

This can be verified via the Wayback machine.

(Part of the image has been redacted because Apple still considers it confidential)

  • UnderpassAppCompany@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I can understand why you’re upset, and as someone who has dealt with Apple Product Security myself, I think it and the Apple Security Bounty Program suck, especially in terms of communication, but this is how it often goes. Apple is a bureaucratic organization, and the left hand doesn’t know what the right hand is doing.

    The people who are saying you should contact a lawyer are ignorant and full of crap. You’ll never win in a million years.

    They put new terms on the bounty page so as not to give me credit.

    That’s an extremely implausible and very self-centered conspiracy theory.

    Apple modified our conversation record

    What does that mean exactly?

    You can verify it yourself via the Wayback machine. Wait for the web page to load, click on the service, and compare the current web page).

    What exactly am I supposed to verify? I’ve looked at the two web pages, and I’m not seeing a smoking gun here. You should quote the relevant difference.

    • wsal32@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      On November 13th, I pointed out that I was in compliance with Apple’s policies and asked them to clarify why they were not giving me credit.

      On November 14, Apple’s security team cited “Issues eligible for public acknowledgment. "To refuse to give me credit. However, this paragraph did not exist before I brought it to the team’s attention.

      On the same day, Apple deleted the following sentence from the communication records: “Please verify that the issue is addressed and let us know in the comments, if you haven’t already. After we receive your confirmation, we will credit you for this report.”

      https://imgur.com/a/YYCl5Z8