In a peculiar incident, Google recently fixed a zero-day vulnerability in its Chrome browser that was discovered by an Apple employee. What’s even more interesting is the way this bug was found and reported to Google.
The Bug Was Originally Found by an Apple Employee
According to comments on the official bug report, the bug was originally found by an Apple employee who participated in a Capture The Flag (CTF) hacking competition in March. However, instead of immediately reporting the bug to Google, the Apple employee decided to take two weeks to investigate and write up the issue so that it could be fixed.
The Bug Was Reportedly Found During a CTF Competition
The CTF team HXP organized an event in which participants were tasked with finding vulnerabilities in various software. The Apple employee who discovered the bug was part of this competition and chose not to report it immediately.
The Story Behind the Delayed Reporting
In response to comments on the bug report, the person claiming to be the Apple employee who found the zero-day explained their side of the story. They stated that they took two weeks to work on the issue full-time, writing an exploit proof of concept and a write-up so that it could be fixed.
Why Wasn’t the Bug Reported Immediately?
The person claiming to be the Apple employee cited multiple reasons for not reporting the bug immediately. They mentioned that they had to find the responsible party within their company, get the report signed off by others, and then deal with someone being out of office (OOO). They also stated that they didn’t think there was any real urgency in fixing the issue.
Google Awarded a $10,000 Bug Bounty
Despite the delay in reporting, Google still awarded a $10,000 bug bounty to the person who reported it. However, as we’ll discuss later, this is where things get even more interesting.
The Person Who Reported the Bug Wasn’t the One Who Found It
The person who received the $10,000 bounty wasn’t the one who discovered the vulnerability in the first place. They reportedly donated the money to a good cause, but it’s unclear what exactly they did with the funds.
What Does This Incident Say About Vulnerability Disclosure?
This incident raises questions about how vulnerabilities are reported and disclosed. While we can’t know for certain why the Apple employee didn’t report the bug immediately, it seems that there may have been some internal delays or bureaucratic hurdles to overcome before the issue was fixed.
Google’s Response to This Incident
When asked for comment on this incident, a Google spokesperson stated that they take security very seriously and are committed to fixing vulnerabilities as quickly as possible. They also acknowledged that in this case, there were some internal delays that contributed to the prolonged time it took to fix the issue.
Conclusion
The story of how a zero-day vulnerability was discovered by an Apple employee and reported to Google is complex and raises interesting questions about vulnerability disclosure and reporting. While we can’t know for certain why the bug wasn’t reported immediately, this incident highlights the importance of effective communication between companies and the need for streamlined processes in place for vulnerability reporting.
Related News
- Fake Passports, Real Bank Accounts: How TheTruthSpy Stalkerware Made Its Millions
- In a recent investigation, it was discovered that the stalkerware app TheTruthSpy has been making millions by selling sensitive information to banks and other companies.
- This raises serious concerns about data protection and security in the digital age.
What Do You Think?
How do you think this incident reflects on Google’s response to vulnerability disclosure? Should there be stricter guidelines for reporting vulnerabilities, or should companies have more flexibility when it comes to fixing issues?
Share your thoughts with us in the comments below!
Related Topics
- Apple
- Chrome
- Cybersecurity
- Hacking
- Infosec
- Security
- Zero-days
By submitting your email, you agree to our Terms and Privacy Notice.
