In August, I submitted a security report via the ASR(Apple Security Research Project). The report involves a vulnerability exploitable by malicious actors, potentially granting unauthorized access to Apple ID accounts.

On Aug 31, the Apple security team validated my report, Asking me to keep conversations confidential. They confirmed the issue’s resolution through a system change. Apple asked me to evaluate whether their fix worked and said it would give me credit and other potential rewards when I evaluated and confirmed the problem was resolved.

After I made the vulnerability assessment and confirmation, I heard nothing back. Until recently, I was informed that I was ineligible for credit or other recognition because Apple obtained the vulnerability from other sources.

When I pointed out their previous commitment and their specific policies, Apple modified our conversation record and webpage Fine Print, pretending It was me who hadn’t read it carefully.

https://imgur.com/a/N9cX3oH

This can be verified via the Wayback machine.

(Part of the image has been redacted because Apple still considers it confidential)

  • mredofcourseB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I feel your pain…

    A long time ago, I found a security flaw that allowed someone to completely take control of a Mac that was directly connected to the Internet with default settings. The funny thing is that I worked at a fairly major media company producing tech industry news at the time and could’ve broken this as a story as opposed to telling them confidentially to allow them to fix it before anyone was victimized.

    And yet, nothing in terms of credit or compensation. Not even a thank you beyond acknowledging the issue was fixed.

    On the plus side, they did patch the flaw which allowed me to feel safer.

    I agree with others here. If you want to pursue this, delete this post and contact a lawyer. Or leave this post up as a way of venting and move on. For me, I knew people at Apple and of course could’ve produced a segment on the whole thing, but meh, I had other stuff going on.