Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program (9to5mac.com) 49
Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.
Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.
Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.
Re:Metal Bracelets (Score:4, Interesting)
What laws did he break. And will the victim of the crime press charges?
Hacking itself isn't illegal, nor is stumbling on a security flaw. Crossing the line is using this security flaw to spy, or undo damage onto others.
Actually this makes an interesting case study in crisis management.
For a problem like there there were many changes for Apple to flub the response and make it worse, however for the most part they handled it professionally (not perfectly).
A major security flaw was found, in one of their new features that they were trying to push out as the next big thing. Having this exposed is painful to a company.
1. It hurts them in Marketing
2. It hurts in in PR
3. Their engineers are worried
4. Management is worried
This creates a lot of emotion within the company, emotion often will lead to brash decisions that will just make things work. (Think Steve Jobs "Your Holding it Wrong" on the iPhone 4 loosing connection when a left handed person hold the phone in a particular way.)
However once Apple spotted the reported flaw, and scoped out how bad it was (This seemed to take too long due to bad public bug reporting). They Stopped the service, and put a PR message out stating the problem and why they stopped it. They took the embarrassment of a flaw, to make sure their customer base would be safe. Engineers are now working on a fix. Now Apple management is reaching out to the person who found the bug and rewarded them, also it appears they are trying to make bug reporting more streamlined, to prevent it being public for a week.
I have seen other times when a security flaw is discovered a company would go into panic protected mode. Try to ignore the problem as long as it could, Actively hide or remove any communication about the problem to the public. Find legal action on the more vocal people pointing out the problem. And using PR and Marketing to try to white wash the the problem, while real people are getting hurt. Then finally the fix would be in their quarterly patch (which would probably break other things).
Apple is one of the largest for profit publicly traded companies, during a period of a record slowdown in sales, and with crazy variance in stock price. I am actually surprised on how well Apple is handling this problem. I know this is Slashdot and we are suppose to Hate Apple after 2008, and all things Apple. And a bunch of us are developers/administrators who never had a security hole (exposed), so we all think we are just that good at our job and it is easy to admonish a company for a security flaw. However a security flaw can happen from a misstep anywhere during the product life cycle development, and maintenance.
Now the question you should ask yourself, if a major flaw was found what would you do? And how would your peers honestly respond to your action?
Re: (Score:2)
What would happen if this was your code? Perhaps the internal Apple treatment of engineers is better then the general industry. But normally when there is a problem, the thumb is pressed down on the engineers. Often with the Stupid question on why was this flaw made that way, and why wasn't it caught (and not part of the root cause, but when we have to rush to fix the solution).
Secondly, I expect a degree of pride you place in your work, to have your work publicly pointed out as a security problem, will p
Re: (Score:2)
Big Companies, often have a lot of talking heads and big Egos. A large company is very productive when all the parts run smoothly, however when there is a problem, things go out of wack, and require business agility more prevalent with smaller companies.
It is surprising when a big company can handle a problem rather quickly. Because there are often so many checks and balances to prevent problems, that having to deal with them isn't dealt well.
Now Apple may had policy and procedures for this type of proble
Re: (Score:2)
Let's not rewrite history here. They completely ignored the bug when the teen that found it tried to report it politely and privately even after he and his mother jumped through the hoops "necessary" for them to even report the bug at all. It didn't see any action until it was embarrassingly reported in public with a clear easy to understand and follow video that went viral.
They show no intention of correcting the underlying design bug, they've just papered it over.
another PR slashvertisment from apple (Score:1)
Re: (Score:2, Interesting)
oh what a good company we are, giving bounty money to a teenager despite the fact that by the letter of our rules he shouldn't get any. Applaud us please.
So Apple fixed their own damn rules.
They are allowed to do that, you know.
It looks like Apple's bug system was being run by low- to mid-level managers who were likely cooking the numbers to make themselves look better. (See! No high-level security-related bugs in **MY** project! Umm, yeah, not so much...) The publicity this kid generated got the attention of Apple's executives, who stepped in and seemingly fixed at least part of the problem.
Re: (Score:3)
So Apple fixed their own damn rules.
No, they haven't.
They are allowed to do that, you know.
They are, but they didn't. They're just making an exception, because they need to distract from the fact that they fucked up on a grand scale. Again.
well deserved! (Score:5, Interesting)
It looks to me Thompson found 2 bugs, one with facetime and another with submitting bug reports.
Don't know which of the two is the worst...
Re: (Score:3)
Re: (Score:2)
The very story is about how they not only listen, but actually rewarded someone they didn't promise anything...
The fact that response was delayed is an issue yes, but within a week is still pretty good compared to many companies customer response - which is never...
Re: (Score:3)
They never did willingly listen. They had to be bludgeoned with it on social media just like the other companies.
Re: (Score:2)
Apple included. The slowness and inconsistency of Apple's bug handling is well known among everyone who has ever worked there or developed software for any Apple platform. In fact, at least a few years ago, it was a long-standing joke among Apple engineers that they'll close most of the bugs when they deprecate and subsequently drop support for the tech
Re: (Score:1)
Three Bugs.
The third being a rotten culture to the core.The person logging the call should have escalated immediately bypassing whatever. Bad culture is a management issue. Can't take the initiative? Not empowered?
Agreed - why is it so hard?! (Score:2)
I didn't realize that "regular people" couldn't file bug/security reports with Apple. I know its hard to do so... as I've found bugs in iOS myself and found the process of reporting them to be onerous. It's easier to put them on the Community forum and moan about them than actually file with Apple.
Several instances I've just given up because of either "login" issues or can't attach screen shots / tell the story. By the time I've opened the form I feel like doing something else.
Google and Microsoft have
You kind of can (Score:2)
I didn't realize that "regular people" couldn't file bug/security reports with Apple
You kind of can via the Feedback [apple.com] forms.
Though for something this serious going through bugreport was a better idea, who knows how long it would have taken to be noticed going through Feedback...
Re: (Score:2)
Nice try but the difficulty in submitting bug reports is usually intentional. Many developers are not emotionally prepared to deal with bug reports which they see as criticism of their work. But maybe Apple developers are different.
Re: (Score:3)
No, it's intentional because the vast majority of bugs will be of the kind "I can't turn on my phone". Or "My phone doesn't charge" and the like.
This is par for the course because for the most part, for every legitimate bug that needs investigation, you'll get a million of the ki
Re: (Score:2)
In other words, another usability flaw, something that's not a bug because it was designed that way on purpose due to lack of testing on technically inexperienced people and/or lack of qualified usability experts helping you design your product.
In a first of its kind, bug researcher gets reward (Score:2)
Abusive relationship (Score:3)
This is how abusers string along their victims - random occurrences of being "nice", by doing precisely what they SHOULD be doing. But it doesn't excuse their behavior the rest of the time. Apple has been generally unresponsive to bug reports since their first days. They pissed on their user base with this garbage bug, and now all they have to do to distract their Stockholm syndrome audience is grant a bug bounty to someone who clearly deserves it. "Look", they'll say, "Apple can do the right thing!" Yes, but only when it would otherwise make it obvious what they really are: abusive.
I could make the same rant about Microsoft on another day, but it's Apple's turn :P
The Apple programmer is eligible for a prize too (Score:2)