A bug bounty wouldn’t have helped Apple spot the macOS root flaw, but Apple should consider a bug bounty or better vulnerability reporting anyway. Earlier this week, Turkish developer Lemi Orhan Ergin tweeted about a serious flaw in macOS High Sierra, that let anyone access your computer by logging in with root and no password. Apple issued a patch the next day.
Responsible disclosure advocates immediately piled on Ergin, calling his tweet “idiotic”, “a little foolish” and “completely irresponsible”. Responsible disclosure is the idea that if you spot a vulnerability, you should alert the company first and give it enough time to bash together a patch before going public.
© Article’s author: Nicole Kobie.
© Source: Wired UK
Despite the Twitter abuse, Apple was apparently warned about the flaw before Ergin tweeted it out. In a Medium post, Ergin claimed that the issue was spotted by staff at the company he works for – and they did disclose it to Apple before taking it public. “Wired UK” asked Apple for confirmation of the disclosure, but the company hadn’t responded at the time of publication.
“A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account,” he wrote. “The staff noticed the issue and used the flaw to recover my colleague’s account.”
Ergin explained that his colleagues reported the flaw to Apple on November 23 and noticed that it had been discussed in the Apple Developer Forum as far back as November 13. “It seemed like the issue had been revealed, but Apple had not noticed yet.”
Ergin didn’t tweet about the flaw until five days later, on November 28. Regardless of whether five days is enough to qualify as responsible disclosure, Ergin’s intent in tweeting was well intended. “The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago,” he wrote on Medium. “I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say ‘there is a serious security issue in High Sierra, be aware of it and fix it’.”
Following the public attention, Apple immediately issued advice on a workaround, and had a patch ready the next day. While that’s good news for macOS users, it’s raised the question of whether Apple could do more to encourage security researchers to watch out for issues on the Mac operating system.
Responsible disclosure is encouraged by so-called bug-bounty programs, when companies pay security researchers for reporting such flaws. They’re popular across the tech world and in 2016 alone Google paid out $3 million. Facebook, Tesla, Microsoft and Uber all have similar programs. Even non-tech companies are using them: Bugcrowd’s State of Bug Bounty report revealed enterprise adoption of such programs was up 300 per cent last year.
Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits:
If you’re willing to hunt for flaws within its vast array of software and services, Google’s happy to pay up. Over the course of its 2016 Vulnerability Rewards Program, the company paid out $3 million–a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.
The latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. Last March, Google doubled the bounty for a Chromebook hack from $50,000 to $100,000, after no one managed to pull one off.
Among 2016’s bug bounty exploits:
Google awarded $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on its events site (events.google.com). Bojarski has been hunts for Google exploits from a small town in Poland for the last three years and he claims to do it for the “sheer enjoyment.” Maybe also for the glory, because he’s killing it on Google’s bug bounty leaderboards.
A “bug chain bonus” of $5,000 and another $7,500 for a jаvascript exploit targeting the Google account recovery page.
A Chrome OS vulnerability involving a one byte DNS library overflow, detailed at the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.
But while Apple has an invite-only bug bounty programme for iOS, it doesn’t pay out for flaws found with macOS. Critics suggest that means researchers are less likely to dig about in macOS code looking for flaws. “Bug bounty programs help further incentivise hackers to spend more time looking for bugs,” says Alex Rice, co-founder and CTO of HackerOne. “Bounties can help attract more attention from a broader audience, meaning you’ll have more people testing the security of your software.”
Keith Hoodlet, Bugcrowd’s trust and security engineer, agrees. “I think (Apple) would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure,” Hoodlet says. “Large companies usually see a lot of savings from having a bug bounty programme, and that’s usually a time-cost savings.”
On the other hand, the high value of Apple flaws may make them a special case – a report by Motherboard last year suggested researchers are much more likely to sell iOS vulnerabilities to the highest bidder as they’re too valuable to hand over to Apple.
Apple is certainly wealthy enough to pay for flaws, so why doesn’t it?
“Apple has had a history of somewhat closed doors when it comes to dealing with or responding to vulnerabilities that have been reported to against their systems,” Hoodlet says. “Historically speaking, Apple does not credit researchers for their findings when it comes to vulnerabilities being fixed, so to that end it may just be a company culture.”
Rice notes that not having a bug bounty doesn’t mean Apple is weak on security, saying such programs are “by no means a silver bullet” for security. “Vulnerabilities are always inevitable and Apple should be applauded for their exceptional security response – the issue was fully resolved in a matter of days,” he adds.
Even without a bug-bounty program, Apple does take flaw reports over email, and Rice says it’s more important to have such a vulnerability disclosure program than it is to pay for reports. “This tells the world, ‘If you know of a vulnerability we’d like you to share it with us so we can fix it,” Rice says. “It’s providing a safe and secure channel for friendly hackers to disclose what they find and ensuring they won’t face a response from a lawyer or law enforcement.”
If you do spot a bug, Apple’s vulnerability disclosure details are here.
Infotolium confirmed this security flaw exists on macOS High Sierra 10.13.0.