Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.

Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

well deserved!

[sad_]

It looks to me Thompson found 2 bugs, one with facetime and another with submitting bug reports.
Don't know which of the two is the worst...

Re:Metal Bracelets

[jellomizer]

What laws did he break. And will the victim of the crime press charges?
Hacking itself isn't illegal, nor is stumbling on a security flaw. Crossing the line is using this security flaw to spy, or undo damage onto others.

Actually this makes an interesting case study in crisis management.
For a problem like there there were many changes for Apple to flub the response and make it worse, however for the most part they handled it professionally (not perfectly).
A major security flaw was found, in one of their new features that they were trying to push out as the next big thing. Having this exposed is painful to a company.
1. It hurts them in Marketing
2. It hurts in in PR
3. Their engineers are worried
4. Management is worried

This creates a lot of emotion within the company, emotion often will lead to brash decisions that will just make things work. (Think Steve Jobs "Your Holding it Wrong" on the iPhone 4 loosing connection when a left handed person hold the phone in a particular way.)

However once Apple spotted the reported flaw, and scoped out how bad it was (This seemed to take too long due to bad public bug reporting). They Stopped the service, and put a PR message out stating the problem and why they stopped it. They took the embarrassment of a flaw, to make sure their customer base would be safe. Engineers are now working on a fix. Now Apple management is reaching out to the person who found the bug and rewarded them, also it appears they are trying to make bug reporting more streamlined, to prevent it being public for a week.

I have seen other times when a security flaw is discovered a company would go into panic protected mode. Try to ignore the problem as long as it could, Actively hide or remove any communication about the problem to the public. Find legal action on the more vocal people pointing out the problem. And using PR and Marketing to try to white wash the the problem, while real people are getting hurt. Then finally the fix would be in their quarterly patch (which would probably break other things).

Apple is one of the largest for profit publicly traded companies, during a period of a record slowdown in sales, and with crazy variance in stock price. I am actually surprised on how well Apple is handling this problem. I know this is Slashdot and we are suppose to Hate Apple after 2008, and all things Apple. And a bunch of us are developers/administrators who never had a security hole (exposed), so we all think we are just that good at our job and it is easy to admonish a company for a security flaw. However a security flaw can happen from a misstep anywhere during the product life cycle development, and maintenance.
Now the question you should ask yourself, if a major flaw was found what would you do? And how would your peers honestly respond to your action?