Collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong. A continuation of work started by @attritionorg
Apple's Bug Bounty rules permits Security Researchers to, "copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Apple software," provided they share the results with Apple. However, in 2019, Apple filed a lawsuit against Corellium, stating that it participates, "with no license or permission from Apple." Moreover, "Apple approved of Corellium participating in its invitation-only Security Bounty Program (“bug bounty program”) with a promise to pay for software bugs identified by Corellium in court documents dated 10-28-2019." Apple gladly accepted and utilized bugs submitted by Corellium as part of this program [yet] broke its promise to pay for them." Apple's bug bounty began in 2016, but was only opened to the public in 2019. This means anyone can participate.
Corellium was a participant of the invitation-only program. Corellium claims it is owed $300,000 in unpaid bounties. Apple is known to change the prices, with Apple originally offering up to $1,500,000 as the maximum payout, but that has since come down to $1,000,000. Moreover, an "iCloud" bounty is listed with a maximum payout of $100,000 on the main page, however, a "limited" iCloud bypass is only a mere $25,000. Apple has previously, "made eBay remove a listing that offered a prototype iPhone for sale for $10,000". Bizarrely, Apple only offers the "Security Research Device" (SRD) for the iPhone, abandoning the iPadOS, macOS, tvOS, and watchOS which do not have Research Devices. The number of vulnerabilities discovered on SRDs is extremely low, with many vulnerabilities coming from ZDI as well as anonymous researchers.
Apple sued Corellium in 2019, for copyright infringement. The copyright claim is a disgrace to researchers, far and wide, and even stated 08-15-2019, "Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher," yet is pursuing the only platform that empowers researchers to participate in Apple's program. Apple lost that lawsuit, demonstrating a clear & apparent disconnect between the company and good faith Security Researchers. The UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA dismissed every single one of Apple's claims. The COURT ruled on 05-11-2020 "Corellium does not infringe any of Apple's copyrights."Apple ignored the ruling, filing another lawsuit, casting a shadow of legal uncertainty over the entire Security Research community. Apple admits to trying to buy Corellium, in which Corellium was approached by Federighi, Andrews, & Krstic, who are Apple's Senior Vice President of Software Engineering, the Vice President of OS Software Engineering, and the Head of Apple's Security Engineering and Architecture, respectively.
The case was "DONE AND ORDERED in Fort Lauderdale, Florida, [on] 29th day of December 2020, noting Corellium may make fair use of iOS, but it is not absolved of potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS." However, Apple's Bug Bounty program specifically permits the above, if you report the bugs to Apple. This series of lawsuits destroys credibility in the Security Research community, and Apple's lower-than-expected payouts deters researchers from reporting the bugs to Apple, with many researchers opting to sell their exploits elsewhere. One such example, is the clear fact is the sheer volume of submissions that come through the Zero Day Institute. More court documents relating to Apple attempting to reintroduce new witnesses, in a case that should already be over.
Apple's Bug Bounty rules permits Security Researchers to, "copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Apple software," provided they share the results with Apple. However, in 2019, Apple filed a lawsuit against Corellium, stating that it participates, "with no license or permission from Apple." Moreover, "Apple approved of Corellium participating in its invitation-only Security Bounty Program (“bug bounty program”) with a promise to pay for software bugs identified by Corellium in court documents dated 10-28-2019." Apple gladly accepted and utilized bugs submitted by Corellium as part of this program [yet] broke its promise to pay for them." Apple's bug bounty began in 2016, but was only opened to the public in 2019. This means anyone can participate.
Corellium was a participant of the invitation-only program. Corellium claims it is owed $300,000 in unpaid bounties. Apple is known to change the prices, with Apple originally offering up to $1,500,000 as the maximum payout, but that has since come down to $1,000,000. Moreover, an "iCloud" bounty is listed with a maximum payout of $100,000 on the main page, however, a "limited" iCloud bypass is only a mere $25,000. Apple has previously, "made eBay remove a listing that offered a prototype iPhone for sale for $10,000". Bizarrely, Apple only offers the "Security Research Device" (SRD) for the iPhone, abandoning the iPadOS, macOS, tvOS, and watchOS which do not have Research Devices. The number of vulnerabilities discovered on SRDs is extremely low, with many vulnerabilities coming from ZDI as well as anonymous researchers.
Apple sued Corellium in 2019, for copyright infringement. The copyright claim is a disgrace to researchers, far and wide, and even stated 08-15-2019, "Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher," yet is pursuing the only platform that empowers researchers to participate in Apple's program. Apple lost that lawsuit, demonstrating a clear & apparent disconnect between the company and good faith Security Researchers. The UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA dismissed every single one of Apple's claims. The COURT ruled on 05-11-2020 "Corellium does not infringe any of Apple's copyrights." Apple ignored the ruling, filing another lawsuit, casting a shadow of legal uncertainty over the entire Security Research community. Apple admits to trying to buy Corellium, in which Corellium was approached by Federighi, Andrews, & Krstic, who are Apple's Senior Vice President of Software Engineering, the Vice President of OS Software Engineering, and the Head of Apple's Security Engineering and Architecture, respectively.
The case was "DONE AND ORDERED in Fort Lauderdale, Florida, [on] 29th day of December 2020, noting Corellium may make fair use of iOS, but it is not absolved of potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS." However, Apple's Bug Bounty program specifically permits the above, if you report the bugs to Apple. This series of lawsuits destroys credibility in the Security Research community, and Apple's lower-than-expected payouts deters researchers from reporting the bugs to Apple, with many researchers opting to sell their exploits elsewhere. One such example, is the clear fact is the sheer volume of submissions that come through the Zero Day Institute. More court documents relating to Apple attempting to reintroduce new witnesses, in a case that should already be over.