Apple, New York State and the Challenge of Vulnerability Disclosure

by Casey Ellis, CTO and founder of Bugcrowd

On Wednesday, New York Governor Andrew Cuomo and new Attorney General Letitia James said that “the state was probing Apple Inc’s failure to warn consumers about a FaceTime bug that lets iPhones users see and hear others before they accept a video call,” Reuters reported.

While this isn’t the first time officials have investigated a company due to lack of response — the FTC did something similar with the Fandango case stating that “failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties.” — it’s certainly still novel.

It’s a stark reminder that vulnerability disclosure is hard — especially for large companies like Apple that are flooded with reports. As Grant Thompson’s (the 17-year old that found the FaceTime vulnerability) mom Michele Thompson told NBC News: “I get it. I’m sure they get all sorts of kooks that try to report things to them.”

It’s remarkable that Grant’s Mom understood something that others seem to be missing — vulnerability disclosure is hard, especially when you’re the size of a company like Apple. Inviting a conversation with the entire Internet is noisy. Combing through submissions is a time consuming and often fruitless task. Having a clear communication channel, a policy which provides safe harbor for ethical hackers (and their Moms), and a process and supporting systems to manage internal dissemination of vulnerabilities is paramount — and having a team to triage these submissions is key to being able to respond quickly.

The other call-out here is that fixing software is hard too. FaceTime Groups may seem like a simple feature to the user (Apple have a habit of designing things that way), but behind the curtain lies incredible complexity and depth. The deliberate obfuscation of this truth makes it easy for anyone on the outside to underestimate the complexity and difficulty of a fix — which I believe is contributing to the backlash in this case.

Given today’s climate we are going to see more regulations around vulnerability disclosure. We already have — the US Government, NIST, DOJ, among others have defined it as best practice. Today’s news is yet another example of why vulnerability disclosure is a best practice.

Casey Ellis, CTO of Bugcrowd

Casey Ellis is founder, CTO, and chairman of the board of Bugcrowd. He started life in infosec as pentester, moved to the dark side of solutions architecture and sales, and finally landed as a career entrepreneur. He’s been in the industry for 15 years, working with clients ranging from startups to government to multinationals, and awkwardly straddles the fence of the technical and business sides of information security. Casey pioneered the Bug Bounty as-a-Service model launching the first programs on Bugcrowd in 2012, and has presented at Blackhat, Defcon, Derbycon, SOURCE Boston, AISA National, and many others. He is happy as long as he’s got a problem to solve, an opportunity to develop, a kick ass group of people to bring along for the ride, and free reign on t-shirt designs.