Developer feels 'robbed' by Apple's Security Bounty Program

News
By published
Hacker
Hacker (Image credit: iMore)

What you need to know

  • A developer by the name of Nicolas Brunner says they feel robbed by the company's security bounty program.
  • Brunner discovered a flaw in iOS 13 and was left in the dark by Apple for 14 months.
  • The company finally got back to him, only to let him know he didn't qualify for a payment.

An iOS engineer by the name of Nicolas Brunner says they feel "robbed" by Apple after discovering a bug in iOS 13, only to be told their findings didn't qualify for the company's Security Bounty Program.

In a post to Medium Brunner shared a blog post that states "This is my personal story with the Apple Security Bounty program and why I believe it is a lie after reporting an issue, testing fixes and being left in the dark after 14 months."

Brunner claims that in March 2020 they found a way "to access a User's location permanently and without consent on any iOS 13 (or older) device". Brunner's report was accepted by Apple, corrected, and Brunner was even credited with the finding in iOS 14's security release notes. However, Brunner says they feel "robbed" by the company after being told the finding did not qualify them for a payout from Apple's Security Bounty Program:

The report got accepted and the issue was fixed in iOS 14 and I got credited on the iOS 14 security content release notes. However, as of today, Apple refuses any bounty payment, although the report at hand very clearly qualifies according to their own guidelines. Also, Apple refuses to elaborate on why the report would not qualify. So read this article with a pinch of salt, since as a long-time iOS developer I'm very disappointed with Apple's communication.

Brunner says Apple took 14 months to clarify they wouldn't be receiving a payment, an email received in May states "the issue has been reviewed for the Apple Security Bounty, and, unfortunately, it does not qualify." Brunner insists the finding does in fact fall under Apple's 'App access to sensitive data normally protected by a TCC prompt', which can pay out up to $100,000 to whoever discovers the issue.

Brunner stated in the post that they hope "the security bounty program turns out to be a win-win situation for both parties" but saw no reason at present "why developers like myself should continue to contribute to it."

Apple launched the most recent version of its Security Bounty Program in December of 2019, the program can pay out as much as $1.5 million if a developer finds an issue previously unknown to Apple, and its website further states "ll security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories."

iMore has reached out to Apple for comment on the story.

Stephen Warwick
Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9

Latest in Apple
iMore Logo
One more thing… Goodbye from iMore
Apple Logo behind a waterfall
Apple loses $14bn Irish tax case against the EU
Apple Glowtime iPhone 16 event
How to re-watch Apple's iPhone 16, Apple Watch Series 10, and AirPods 4 event
Glowtime 2024
Every Apple product discontinued after the iPhone 16 event
Apple Glowtime iPhone 16 event
Listen to all of the music from Apple's 'It's Glowtime' September event
Apple logo with US dollar bills
Apple could get a major fine the day after the iPhone 16 reveal event
Latest in News
iMore Logo
One more thing… Goodbye from iMore
Jony Ive
Jony Ive’s OpenAI hardware device could be his next world-changing design
NEBULA Cosmos 4K SE with Apple TV
This new 4K projector is tempting me to replace my LG C2 TV, just so I can watch Slow Horses on a 200-inch display
VisionOS 2 app reorganization
visionOS 2 is the first major software update for Apple Vision Pro, and now it's available
macOS Sequoia
macOS Sequoia (version 15) is now available for your Mac with some big upgrades
watchOS 11
watchOS 11 is now rolling out to all Apple Watch users with the Series 6 or newer
More about apple
Apple Logo behind a waterfall

Apple loses $14bn Irish tax case against the EU
Apple Glowtime iPhone 16 event

How to re-watch Apple's iPhone 16, Apple Watch Series 10, and AirPods 4 event
iMore Logo

One more thing… Goodbye from iMore
See more latest