Apple Confirms Teen Who Discovered Group FaceTime Bug Will Get Paid A Bounty
The big news of late in the Apple realm was the severe flaw in Group FaceTime that allowed users to eavesdrop on people added to the group conversation before they accepted the call (without their knowledge). The flaw could also share video from the camera of the iPhone in addition to audio. The first person to discover the bug was a 14-year-old teen named Grant Thompson, and Apple has confirmed he will get paid.
While Apple has confirmed that Thompson will be paid for finding the flaw, it is being coy about how much the teen will receive. All Apple says so far is that it will compensate the family and make a contribution to Thompson's education. Thompson's mother was very vocal about the run around they received trying to report the flaw to Apple since they weren't registered as developers.
It took a week after the discovery of the bug to get Apple to respond. Apple eventually acknowledged the issue, and while it was preparing a fix for the serious flaw, it disabled group FaceTime chats to prevent the exploit from being taken advantage of. Apple is now facing a lawsuit over the bug, has apologized for the flaw and released an iOS update to address the issue.
Apple's bug bounty program offers payouts to developers and researchers who discover serious security flaws as a way to incentivize them to report the bugs, rather than sell them to nefarious sorts on the black market. The program has payouts of up to $200,000, but many developers are critical of the program because it's more profitable to sell the details of exploits on the black market than to Apple. Apple doesn't operate a bug bounty program for macOS devices, only for iOS.
Security researcher Linuz Henze has found a flaw in the way macOS stores data in the Keychain that reportedly leaves the passwords vulnerable in an easy to exploit manner. Henze has refused to disclose the flaw to Apple in protest of the fact that researchers can't get paid to report bugs for Macs.