Ask HN: How do I make Apple pay up?
On the 3rd of March, I happened on a severe security vulnerability on an Apple product. Immediately, I reported it to them via the Apple Security Research program.
In the initial report, I didn't know I could upload videos and I asked them if I can upload my video proof to YouTube (unlisted). They told me not to — presumably because they didn't want this to be public.
It took them until another 9 days (March 14th) to decide that this wasn't an issue. At that point the ticket got marked as "This is expected behavior."
I'm convinced that if this vulnerability is made public, Apple would change their mind about it's severity.
I'm not sure if I can share it, though, as they might use it as an excuse not to pay me a bounty. Thoughts on how to approach this?
PS: I asked them if I could post it publicity after they closed the ticket but haven't heard anything from them. Apple is notoriously stingy with bug bounties.¹ They also like to say “going to the press doesn’t help” when time and again it’s been shown they only react to bad press. If the issue you found is “expected behaviour”, then there’s no harm in sharing it. Do it publicly while mentioning your timeline and their response. Let everyone else decide if it’s truly an issue or not. If they end up changing it, it becomes proof you found a legitimate problem. That doesn’t guarantee they’ll pay up, but they’ll get even more bad press if they don’t. Apple has already indicated they don’t intend to pay you. By keeping the problem a secret you have no recourse and will continue not being paid. Unless you know someone at Apple which could make it happen, anything other than sharing the bug is a waste of your time and presumably harmful for users who won’t know of the problem and thus can’t protect against it. ¹ https://www.macrumors.com/2021/09/09/security-researchers-ap... Hey thanks for this take. Definitely feels like the approach I should take based on their behaviour. Besides, what’s the harm in me discussing “intended behaviour”? I recommend waiting the industry standard 90 days before volunteering intended behavior. Why wait? The point of the 90 days is to give them time to fix it, but if they consider it intended behavior, they aren't going to fix it. If they don't intend to fix it, then what's the problem with waiting? The bug's still gonna be there in 90 (minus however long it's already been) days and rushing disclosure really doesn't reflect well on you as a researcher to the rest of the industry. Ofc if you have your own bug, you're welcome to disclose it whenever you want, even violating NDAs if you feel like the vendor hasn't gone far enough. There may be legal repercussions with that last bit, but again, that's up to you. Oh that’s cool! I forgot about this! Talk to a few of your trusted peers about the effect (not the mechanics) of the vulnerability. As in, "If you hand me your iPhone, I can unlock it without knowing your password." Don't tell them how, just describe in 1 sentence what access you need, and what you're able to do. If your trusted peers (not drinking buddies who do other jobs) are impressed, then widen the circle a little - tell strangers (like HN readers) that same thing, and ask if it's a vulnerability. It'll just help you have a sanity check about whether or not it's actually a vulnerability that Apple needs to fix, or perhaps it's someone else's, or not really that big of a deal. Maybe I'm drinking my own koolaid here but I don't feel safe when I use this Apple device regularly. How does Apple establish "prior art" if I go public with it? Can someone else claim credit for it? > How does Apple establish "prior art" if I go public with it? You're not going public with the HOW, only the effects. Reread my comment about asking your trusted peers, please. And then send Apple my survey results?! Not seeing the light at the end of the tunnel here. You're assuming your peers will agree with you. I'm gently suggesting that they may not, and you need that check. You might be right. It might be the next Meltdown vulnerability. But it might not, and Apple already told you it isn't, and that's why you need to talk to your peers.