Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.

Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

Re:another PR slashvertisment from apple

oh what a good company we are, giving bounty money to a teenager despite the fact that by the letter of our rules he shouldn't get any. Applaud us please.

So Apple fixed their own damn rules.

They are allowed to do that, you know.

It looks like Apple's bug system was being run by low- to mid-level managers who were likely cooking the numbers to make themselves look better. (See! No high-level security-related bugs in **MY** project! Umm, yeah, not so much...) The publicity this kid generated got the attention of Apple's executives, who stepped in and seemingly fixed at least part of the problem.

well deserved!

[sad_]

It looks to me Thompson found 2 bugs, one with facetime and another with submitting bug reports.
Don't know which of the two is the worst...

Re:well deserved!

[msauve]

As bad as the Facetime bug is, I'd say the other is worse for Apple - it made them admit that they really don't listen to their customers. But don't expect that to really change.

Re:well deserved!

[sjames]

They never did willingly listen. They had to be bludgeoned with it on social media just like the other companies.

Re:well deserved!

[tlhIngan]

Nice try but the difficulty in submitting bug reports is usually intentional. Many developers are not emotionally prepared to deal with bug reports which they see as criticism of their work. But maybe Apple developers are different

No, it's intentional because the vast majority of bugs will be of the kind "I can't turn on my phone". Or "My phone doesn't charge" and the like.

This is par for the course because for the most part, for every legitimate bug that needs investigation, you'll get a million of the kind from people who can't/won't figure out that they need to charge the battery, or need to plug in the charger.

Apple and others probably have a bunch of front line workers who answer these "bugs" every day, so it's more than believable that when you tweet about the bug to Apple, it gets overlooked as people see it as another "I can't figure out how to use it and I don't want to read" type of complaint.

Abusive relationship

[drinkypoo]

This is how abusers string along their victims - random occurrences of being "nice", by doing precisely what they SHOULD be doing. But it doesn't excuse their behavior the rest of the time. Apple has been generally unresponsive to bug reports since their first days. They pissed on their user base with this garbage bug, and now all they have to do to distract their Stockholm syndrome audience is grant a bug bounty to someone who clearly deserves it. "Look", they'll say, "Apple can do the right thing!" Yes, but only when it would otherwise make it obvious what they really are: abusive.

I could make the same rant about Microsoft on another day, but it's Apple's turn :P

Re:Metal Bracelets

[jellomizer]

What laws did he break. And will the victim of the crime press charges?
Hacking itself isn't illegal, nor is stumbling on a security flaw. Crossing the line is using this security flaw to spy, or undo damage onto others.

Actually this makes an interesting case study in crisis management.
For a problem like there there were many changes for Apple to flub the response and make it worse, however for the most part they handled it professionally (not perfectly).
A major security flaw was found, in one of their new features that they were trying to push out as the next big thing. Having this exposed is painful to a company.
1. It hurts them in Marketing
2. It hurts in in PR
3. Their engineers are worried
4. Management is worried

This creates a lot of emotion within the company, emotion often will lead to brash decisions that will just make things work. (Think Steve Jobs "Your Holding it Wrong" on the iPhone 4 loosing connection when a left handed person hold the phone in a particular way.)

However once Apple spotted the reported flaw, and scoped out how bad it was (This seemed to take too long due to bad public bug reporting). They Stopped the service, and put a PR message out stating the problem and why they stopped it. They took the embarrassment of a flaw, to make sure their customer base would be safe. Engineers are now working on a fix. Now Apple management is reaching out to the person who found the bug and rewarded them, also it appears they are trying to make bug reporting more streamlined, to prevent it being public for a week.

I have seen other times when a security flaw is discovered a company would go into panic protected mode. Try to ignore the problem as long as it could, Actively hide or remove any communication about the problem to the public. Find legal action on the more vocal people pointing out the problem. And using PR and Marketing to try to white wash the the problem, while real people are getting hurt. Then finally the fix would be in their quarterly patch (which would probably break other things).

Apple is one of the largest for profit publicly traded companies, during a period of a record slowdown in sales, and with crazy variance in stock price. I am actually surprised on how well Apple is handling this problem. I know this is Slashdot and we are suppose to Hate Apple after 2008, and all things Apple. And a bunch of us are developers/administrators who never had a security hole (exposed), so we all think we are just that good at our job and it is easy to admonish a company for a security flaw. However a security flaw can happen from a misstep anywhere during the product life cycle development, and maintenance.
Now the question you should ask yourself, if a major flaw was found what would you do? And how would your peers honestly respond to your action?

Re:another PR slashvertisment from apple

[drinkypoo]

So Apple fixed their own damn rules.

No, they haven't.

They are allowed to do that, you know.

They are, but they didn't. They're just making an exception, because they need to distract from the fact that they fucked up on a grand scale. Again.