Developer says Apple’s Bounty Program never paid for location bug

An iOS engineer says he feels “robbed” by Apple’s Security Bounty program after failing to receive payment for a vulnerability he believes fit its guidelines.

Nicolas Brunner, an iOS engineer at Swiss Federal Railways, wrote about his experience with the bounty program in a Medium post on Monday. According to Brunner, he had discovered an exploitable vulnerability in iOS 13 back in March 2020.The vulnerability would have allowed an app to permanently collect a user’s location data without their consent. Brunner says he discovered the flaw while working on an iOS project.

Read more…