The FaceTime bug that made waves as result of 9to5Mac’s coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company …
Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.
Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple’s product or engineering teams were aware of the problem until its viral explosion a week later.
Apple took down the Group FaceTime servers to prevent the bug from happening as a short-term workaround, a few hours after the bug was publicized by 9to5Mac. Customers are still waiting for an iOS software update to restore Group FaceTime.
CNBC reports that an unnamed “high-level Apple executive” met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.
“They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant,” said Michele Thompson. “If he got some kind of bug bounty for what he found we’d certainly put it to good use for his college because I think he’s going to go far, hopefully. This is actually a field he was interested in before and even more so now.”
Apple’s bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS. Monetary rewards are not given out to any random individual who happens to find a bug in Apple software.
Therefore, Thompson’s finding of a glitch in iOS that could cause people to hear the caller’s microphone without their knowledge, would not qualify according to those rules.
It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed.
Under the official bug bounty program, Apple pays between $25,000 and $200,000 depending on the severity of the exploit.