Slashdot Mirror

← Back to Stories (view on slashdot.org)

Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program (9to5mac.com)

Posted by BeauHD on from the good-on-you dept.

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.

Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

49 comments

  1. Metal Bracelets by Anonymous Coward · · Score: -1

    Will he also be eligible for a pair of shiny metal bracelets as well as many years of free room and board? I mean, that's how we do things in America. No good deed goes unpunished.

    1. Re: Metal Bracelets by Anonymous Coward · · Score: -1

      What would a black dwarf identify as first?

    2. Re:Metal Bracelets by jellomizer · · Score: 3, Interesting

      What laws did he break. And will the victim of the crime press charges?
      Hacking itself isn't illegal, nor is stumbling on a security flaw. Crossing the line is using this security flaw to spy, or undo damage onto others.

      Actually this makes an interesting case study in crisis management.
      For a problem like there there were many changes for Apple to flub the response and make it worse, however for the most part they handled it professionally (not perfectly).
      A major security flaw was found, in one of their new features that they were trying to push out as the next big thing. Having this exposed is painful to a company.
      1. It hurts them in Marketing
      2. It hurts in in PR
      3. Their engineers are worried
      4. Management is worried

      This creates a lot of emotion within the company, emotion often will lead to brash decisions that will just make things work. (Think Steve Jobs "Your Holding it Wrong" on the iPhone 4 loosing connection when a left handed person hold the phone in a particular way.)

      However once Apple spotted the reported flaw, and scoped out how bad it was (This seemed to take too long due to bad public bug reporting). They Stopped the service, and put a PR message out stating the problem and why they stopped it. They took the embarrassment of a flaw, to make sure their customer base would be safe. Engineers are now working on a fix. Now Apple management is reaching out to the person who found the bug and rewarded them, also it appears they are trying to make bug reporting more streamlined, to prevent it being public for a week.

      I have seen other times when a security flaw is discovered a company would go into panic protected mode. Try to ignore the problem as long as it could, Actively hide or remove any communication about the problem to the public. Find legal action on the more vocal people pointing out the problem. And using PR and Marketing to try to white wash the the problem, while real people are getting hurt. Then finally the fix would be in their quarterly patch (which would probably break other things).

      Apple is one of the largest for profit publicly traded companies, during a period of a record slowdown in sales, and with crazy variance in stock price. I am actually surprised on how well Apple is handling this problem. I know this is Slashdot and we are suppose to Hate Apple after 2008, and all things Apple. And a bunch of us are developers/administrators who never had a security hole (exposed), so we all think we are just that good at our job and it is easy to admonish a company for a security flaw. However a security flaw can happen from a misstep anywhere during the product life cycle development, and maintenance.
      Now the question you should ask yourself, if a major flaw was found what would you do? And how would your peers honestly respond to your action?

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re: Metal Bracelets by Anonymous Coward · · Score: 0

      I am an Apple engineer. We are not worried, these things happen.

    4. Re: Metal Bracelets by jellomizer · · Score: 1

      What would happen if this was your code? Perhaps the internal Apple treatment of engineers is better then the general industry. But normally when there is a problem, the thumb is pressed down on the engineers. Often with the Stupid question on why was this flaw made that way, and why wasn't it caught (and not part of the root cause, but when we have to rush to fix the solution).
      Secondly, I expect a degree of pride you place in your work, to have your work publicly pointed out as a security problem, will probably hurt a little on the inside.
      Normally the engineers are now worried, because their job is now being interrupted by executives over your shoulder, forcing you to behave where you really need to be grumpy and crude, so you can get the job done (Often when people are in deep thought, their manners are first to go, hence why professional thinking people are often rather rude and tough to work with while on the job).

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Metal Bracelets by Anonymous Coward · · Score: 0

      What laws did he break. And will the victim of the crime press charges?

      I was making a somewhat dark joke, but since you ask it's probably though not necessarily the case he violated the CFAA. If so, there is no need for any victim to press charges. Of note, Apple would probably not be the victim unless Grant exploited the bug with someone at Apple. However, Apple could potentially have lobbied, behind closed doors, for prosecution while simultaneously pushing PR that says they don't condone such hacks and saying they won't interfere and let the DOJ decide whether to prosecute or not.

      Note, the joke wasn't an Apple specific rant. Google, Microsoft, Facebook, Verizon, <insert random public corporation>, et al are all pretty evil when it comes to covering their own ass as public disclosure of such exploits can hurt the stock and people high up in the company often have a good deal of their net worth in stock. If the optics look favorably enough--if they weren't experiencing "a record slowdown in sales, and with crazy variance in stock price"--maybe they'd be more inclined to strike. Maybe Apple would never do it. I don't really know.

    6. Re:Metal Bracelets by Anonymous Coward · · Score: 0

      it amazes me that when one of the most valuable companies in the world with some of the highest paid executives and management handles a problem in a semi competent way and doesn't screw it up to badly everyone is impressed. its sad the that bar is so low for companies that "we didn't make it too much worse" is shocking.

    7. Re:Metal Bracelets by jellomizer · · Score: 1

      Big Companies, often have a lot of talking heads and big Egos. A large company is very productive when all the parts run smoothly, however when there is a problem, things go out of wack, and require business agility more prevalent with smaller companies.

      It is surprising when a big company can handle a problem rather quickly. Because there are often so many checks and balances to prevent problems, that having to deal with them isn't dealt well.

      Now Apple may had policy and procedures for this type of problem, but a lot of companies may not, because we cannot have a policy and procedure for all problems.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    8. Re:Metal Bracelets by sjames · · Score: 1

      Let's not rewrite history here. They completely ignored the bug when the teen that found it tried to report it politely and privately even after he and his mother jumped through the hoops "necessary" for them to even report the bug at all. It didn't see any action until it was embarrassingly reported in public with a clear easy to understand and follow video that went viral.

      They show no intention of correcting the underlying design bug, they've just papered it over.

    9. Re: Metal Bracelets by Anonymous Coward · · Score: 0

      Oh look, a dismissive attitude from an apple engineer.

      Lacking in self awareness much?

  2. All you need to know by Anonymous Coward · · Score: 0

    "the company is making an exception here given the embarrassingly public nature of the case" - remember when Apple used to be the PR geniuses instead of acting like Microsoft? Skimping on a bug bounty? Fine, get hacked.

    1. Re:All you need to know by Anonymous Coward · · Score: 0

      I have to wonder how many bugs are in Apple products that are just sold on the black market because Apple is just made up of shitheads.

    2. Re: All you need to know by Anonymous Coward · · Score: -1

      Pseudo intellectuals think they have this robust framework that accommodates so much more than traditional gender norms. Cunts are fucked and couldn't pass an undergraduate subject in logic.

    3. Re:All you need to know by Anonymous Coward · · Score: 0

      Grant Thompson, the King of Random? He's already in trouble with the law.
      https://www.tubefilter.com/2018/05/21/grant-thompson-king-of-random/

  3. Jail him! by Anonymous Coward · · Score: 0

    Send all hackers to jail.

  4. another PR slashvertisment from apple by etash · · Score: 0

    oh what a good company we are, giving bounty money to a teenager despite the fact that by the letter of our rules he shouldn't get any. Applaud us please.

    1. Re:another PR slashvertisment from apple by Anonymous Coward · · Score: 0

      It actually doesn't read that way at all. It reads like they tried to weasel, it got away from them into bad PR, and because of that kid (who wasn't actually entitled to the program, which is key) might get paid "special" for his bug.

      It looks like kid outsmarted Apple which makes buggy software and doesn't see the point of the bug bounty isn't necessarily having "qualified in-pipe" investigators as much as it is getting bugs out of their code.

      Maybe you just read all the other puff pieces about Apple and got them stuck in your mind or something? I skip those.

    2. Re:another PR slashvertisment from apple by Anonymous Coward · · Score: 2, Interesting

      oh what a good company we are, giving bounty money to a teenager despite the fact that by the letter of our rules he shouldn't get any. Applaud us please.

      So Apple fixed their own damn rules.

      They are allowed to do that, you know.

      It looks like Apple's bug system was being run by low- to mid-level managers who were likely cooking the numbers to make themselves look better. (See! No high-level security-related bugs in **MY** project! Umm, yeah, not so much...) The publicity this kid generated got the attention of Apple's executives, who stepped in and seemingly fixed at least part of the problem.

    3. Re:another PR slashvertisment from apple by Anonymous Coward · · Score: 0

      Exactly this. Im surprise the apple police have not shown up at his door and taken him away.

    4. Re:another PR slashvertisment from apple by drinkypoo · · Score: 2

      So Apple fixed their own damn rules.

      No, they haven't.

      They are allowed to do that, you know.

      They are, but they didn't. They're just making an exception, because they need to distract from the fact that they fucked up on a grand scale. Again.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. well deserved! by sad_ · · Score: 5, Interesting

    It looks to me Thompson found 2 bugs, one with facetime and another with submitting bug reports.
    Don't know which of the two is the worst...

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
    1. Re:well deserved! by Anonymous Coward · · Score: 0

      3 bugs - the company going against it's own rules (where it's deliberately not done this in the past for other submitters) just because it's good PR and convenient.

      Assholery at it's finest.

    2. Re: well deserved! by Anonymous Coward · · Score: 0

      I guess that is the idea. Or maybe they just take their sweet time with bug fixes. Apple is too cute.

    3. Re: well deserved! by Anonymous Coward · · Score: 0

      Needle in a haystack? I wonder how long it takes to find bugs and decide they are really bugs. Hmmm... food for thought

    4. Re:well deserved! by msauve · · Score: 2

      As bad as the Facetime bug is, I'd say the other is worse for Apple - it made them admit that they really don't listen to their customers. But don't expect that to really change.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:well deserved! by Anonymous Coward · · Score: 1

      Three Bugs.

      The third being a rotten culture to the core.The person logging the call should have escalated immediately bypassing whatever. Bad culture is a management issue. Can't take the initiative? Not empowered?

    6. Re: well deserved! by Anonymous Coward · · Score: 0

      One of the defining characteristics of Apple is not listening to customers. Their attitude has always been they will tell you what you want.

    7. Re: well deserved! by Anonymous Coward · · Score: 0

      And while Jobs actually had a clue what a good product is, Timmy Vrook has absolutely none as he is too busy being different

    8. Re:well deserved! by SuperKendall · · Score: 1

      The very story is about how they not only listen, but actually rewarded someone they didn't promise anything...

      The fact that response was delayed is an issue yes, but within a week is still pretty good compared to many companies customer response - which is never...

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    9. Re:well deserved! by sjames · · Score: 2

      They never did willingly listen. They had to be bludgeoned with it on social media just like the other companies.

    10. Re:well deserved! by Ichijo · · Score: 1

      Nice try but the difficulty in submitting bug reports is usually intentional. Many developers are not emotionally prepared to deal with bug reports which they see as criticism of their work. But maybe Apple developers are different.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    11. Re:well deserved! by tlhIngan · · Score: 2

      Nice try but the difficulty in submitting bug reports is usually intentional. Many developers are not emotionally prepared to deal with bug reports which they see as criticism of their work. But maybe Apple developers are different

      No, it's intentional because the vast majority of bugs will be of the kind "I can't turn on my phone". Or "My phone doesn't charge" and the like.

      This is par for the course because for the most part, for every legitimate bug that needs investigation, you'll get a million of the kind from people who can't/won't figure out that they need to charge the battery, or need to plug in the charger.

      Apple and others probably have a bunch of front line workers who answer these "bugs" every day, so it's more than believable that when you tweet about the bug to Apple, it gets overlooked as people see it as another "I can't figure out how to use it and I don't want to read" type of complaint.

    12. Re:well deserved! by Ichijo · · Score: 1

      it gets overlooked as people see it as another "I can't figure out how to use it and I don't want to read" type of complaint.

      In other words, another usability flaw, something that's not a bug because it was designed that way on purpose due to lack of testing on technically inexperienced people and/or lack of qualified usability experts helping you design your product.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    13. Re:well deserved! by dgatwood · · Score: 1

      The fact that response was delayed is an issue yes, but within a week is still pretty good compared to many companies customer response - which is never...

      Apple included. The slowness and inconsistency of Apple's bug handling is well known among everyone who has ever worked there or developed software for any Apple platform. In fact, at least a few years ago, it was a long-standing joke among Apple engineers that they'll close most of the bugs when they deprecate and subsequently drop support for the technology, at which point they can close them as "Cannot reproduce".

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    14. Re:well deserved! by Anonymous Coward · · Score: 0

      He's under age. Good luck collecting.

  6. More Money on Dark Web by Anonymous Coward · · Score: 0

    sell to the highest bidder next time. the al-qaeda sleeper cells pay well. thats how they can blow up skyscrapers from caves on the other side of the planet. real news says so

    ae911truth dot org

  7. In a first of its kind, bug researcher gets reward by recrudescence · · Score: 1

    The more typical scenario of course being that they get majorly sued for damages, while being publicly defamed for being an 'illegal haxxor'.

  8. Abusive relationship by drinkypoo · · Score: 2

    This is how abusers string along their victims - random occurrences of being "nice", by doing precisely what they SHOULD be doing. But it doesn't excuse their behavior the rest of the time. Apple has been generally unresponsive to bug reports since their first days. They pissed on their user base with this garbage bug, and now all they have to do to distract their Stockholm syndrome audience is grant a bug bounty to someone who clearly deserves it. "Look", they'll say, "Apple can do the right thing!" Yes, but only when it would otherwise make it obvious what they really are: abusive.

    I could make the same rant about Microsoft on another day, but it's Apple's turn :P

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re: Abusive relationship by Anonymous Coward · · Score: 0

      Intriguing how much hate Apple fosters. You probably should have called them names like sweaty negro or tuberculine infested yellow rat. I would be careful baiting them with your attacks. Clear your thoughts and make an appeal to logic for once. Sooner or later Apple will collapse and your complaints - ever so hard to swallow and fall apart the minute you read them - will not matter. Fuck off bitches

    2. Re: Abusive relationship by Anonymous Coward · · Score: 0

      How much time did you waste writing this?? As troll attempts go, I'd call this 'E for effort' but I think you trolled yourself here?

  9. He's also eligible for the Human Cent-iPad program by Anonymous Coward · · Score: 0

    Just as soon as he reads the License Agreement (oops, he clicked!)

  10. WooHoo by Anonymous Coward · · Score: 0

    apple will probably gift him a pair of this ugly looking earpods.
    Thanks apple!

  11. Ffuck... by Anonymous Coward · · Score: -1

    ASSOCIAtION OF up today! If you

  12. The Apple programmer is eligible for a prize too by JoeyRox · · Score: 1

    Early retirement.

  13. Agreed - why is it so hard?! by ripvlan · · Score: 1

    I didn't realize that "regular people" couldn't file bug/security reports with Apple. I know its hard to do so... as I've found bugs in iOS myself and found the process of reporting them to be onerous. It's easier to put them on the Community forum and moan about them than actually file with Apple.

    Several instances I've just given up because of either "login" issues or can't attach screen shots / tell the story. By the time I've opened the form I feel like doing something else.

    Google and Microsoft have feedback/reporting buttons right in their apps.

  14. You kind of can by SuperKendall · · Score: 1

    I didn't realize that "regular people" couldn't file bug/security reports with Apple

    You kind of can via the Feedback forms.

    Though for something this serious going through bugreport was a better idea, who knows how long it would have taken to be noticed going through Feedback...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  15. Re:In a first of its kind, bug researcher gets rew by Anonymous Coward · · Score: 0

    The more typical scenario is the researcher is paid through the bounty program and it doesn't generate news stories, but without news stories you wouldn't know that.

  16. useful post by heena+jain · · Score: 0

    thanks for sharing useful post keep sharing like this and Depression does not always have the same root cause. It may be triggered by a recent current event or situation, or from some past issues that have been building up. In summary, the cause of depression for every individual is unique read more... http://www.aekum.com/blog/best...?

  17. 42 years old teenager by Anonymous Coward · · Score: 0

    Or someone else?