Although Apple may have missed 14-year-old Grant Thompson’s report of last month’s Group FaceTime Spy Bug, the company has already publicly thanked the family for its discovery and it now appears it will be doing right by them by offering to provide a bug bounty for the discovery.
In an interview with CNBC, Grant’s mother, Michelle said that “a high-level executive with Apple” flew to meet with Grant in Tucson, Arizona on Friday afternoon in order to thank them in person and ask for feedback on ways in which Apple could improve its reporting process. Thompson declined to name the executive, mentioning only that he was a software engineering manager who “has some privacy and security training” and that she had promised to respect his privacy. She noted, however, that they “had a nice conversation for well over an hour” and that Grant would not only get the credit when Apple issues its iOS security fix, but that he will also be eligible for the bug bounty program. The details of how that would work were not discussed at the time however, with the Apple executive saying that they would be contacted by Apple’s security team within the next week or so.
I kind of found this one on accident, which is pretty surprising to me that like Apple didn’t get this and a 14-year-old kid found it by accident.Grant Thompson
Grant Thompson is credited with initially discovering the flaw in Group FaceTime on Jan. 19 that could allow callers to eavesdrop on audio and video from another party simply by placing an unanswered FaceTime call to them. Thompson’s mother, Michelle, attempted to report the bug to Apple through several feedback channels, including Apple’s Feedback form, Twitter, tagging Apple in her Facebook posts, calling them, e-mailing them, and even faxing them, before registering as a developer and submitting a bug report after all of the other methods had failed.
I first went to their website and went to Apple Feedback, which is an e-mail form. I tweeted them. I tagged them in my Facebook posts. I called them, I e-mailed them, and I faxed them, and then registered as a developer — even though I’m not a developer — and submitted a bug report that way, after all my other methods had failed.Michelle Thompson
Despite this, however, it wasn’t until 9to5Mac independently discovered the bug a week later that the news broke wide enough to get Apple’s attention, resulting in them quickly shutting down Group FaceTime until a fix could be released in an iOS update.
Unlike several other large companies, Apple doesn’t run a public bug bounty program, but instead only opens it by invitation to trusted security researchers. The program is also limited to flaws found in only specific categories, which would not normally include Thompson’s discovery. Apple is therefore not obligated to compensate Thompson in any way, and it’s still unclear what the amount of compensation will be — Apple normally pays between $25,000 and $200,000 to program members, depending on the nature of the security flaw.
It also still remains unclear exactly why it took so long for Thompson’s report to get to the people at Apple who needed to see it, although it seems that Michelle Thompson was also somewhat stymied by Apple’s own procedures. During the CNBC interview, Thompson said that she did not hear back from Apple at all until after the media broke the story.
I did not hear back from them until after the media broke the story one week ago. I heard back the following day, a Tuesday afternoon, just a generic form e-mail asking to whom we’d like to give credit for finding the bug.Michelle Thompson
According to 9to5Mac, however, Thompson was asked by Apple Support to sign up for an Apple Developer account in order to submit an official bug report that would be taken seriously. She also wasn’t able to do this until January 25, despite the fact that she had contacted Apple on January 20, and gone so far as to create and send a YouTube video demonstrated the flaw to Apple on January 23. The result is that it seems that while people within Apple were aware of the problem — Thompson posts at least one screenshot showing a response received from “Apple Product Security” — clearly the employees Thompson was dealing with were unaware of the seriousness of the issue or had no internal escalation path to follow.
In an apology for the FaceTime bug last week, Apple also provided no details on what went wrong, simply stating that “We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible.“
I’m still going to continue to use Apple. This was just I think a one-time thing. Every now and then something like this just slips through the cracks and can be found, but in general I think that Apple tries to keep our privacy safe and I respect that.Grant Thompson
When asked by CNBC whether this experience has soured his feelings about Apple products, Grant Thompson responded that he still has a great deal of confidence in and respect for Apple, and acknowledges that sometimes things like this just happen with even the best of companies.