Apple Stiffs Researcher on Bounty for iOS Kernel Vulnerability [Update: Resolved]

“Meysam”, on Twitter/X:

I reported CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges.

Will publish the POC soon.

Maybe there’s more to this story, but it sure is a bad look for a $3 trillion company to have a reputation for finding technicalities to avoid paying bug bounties.

I would think Apple would want to err on the side of being liberal with bug bounty payouts, to encourage researchers to report as many as they can find.

Update: Meysam:

seem Apple have concluded that the reported CVE is not exploitable and they are planning to update the description to accurately describe the issue as an unexpected system termination rather than arbitrary code execution, but for good faith they will reward me $1000.

And to be clear, Meysam seems genuinely happy with this resolution.

Wednesday, 15 May 2024