Grant Thompson, the 14-year-old boy who stumbled upon the embarrassing flaw with group FaceTime more than a week before Apple took action is eligible for the company’s bug bounty program after all, in spite of some initial claims to the contrary.
According to CNBC this morning, an unnamed Apple executive met with the Thomspons at their home this past Friday to discuss their findings.
A high-level executive with Apple thanked us in person and also asked for our feedback, asked us how they could improve their reporting process.
They also indicated that Grant would be eligible for the bug bounty program. And we would hear from their security team the following week in terms of what that meant.
Hopefully, that means Grant gets his reward for finding the flaw.
If he got some kind of bug bounty for what he found, we’d certainly put it to good use for his college because I think he’s going to go far, hopefully. This is actually a field he was interested in before and even more so now.
A high school freshman in Tucson, Arizona, Thompson discovered the flaw by accident and reported it to Apple Support. After his emails went unanswered, Grant’s mother on January 22 shared screenshots of the email conversation with Apple’s Product Security division.
She claims this was one of many emails she sent to Apple about the flaw. “I didn’t hear from Apple until after the media broke the story one week ago today,” she said.
Two days later, she emailed Apple a video demonstration showing the FaceTime issue in action and was instructed to create a developer account to submit a Radar report, which she did.
For the sake of completeness, it should be underscored that Grant’s mom was aware of Apple’s bounty program before contacting the company. In all likelihood, she inundated the company with emails in the hope of receiving some kind of reward for their discovery, which is totally fine with us.
It took nine days for us to get a response. My mom contacted them almost every single day through email, calling, faxing. I’m not even sure what that is. It’s probably older than I am.
While Apple eventually disabled group FaceTime until a fix arrived, its initial reaction to the issue was slow because, as we’ve seen with similar bugs in the past, there is no really a process in place for escalating critical flaws to the powers that be within the company.
Grant recalled how he stumbled upon the issue while playing Fortnite.
You can swipe up and add another person, so I added another friend of mine, Diego, to see if he also wanted to play. But as soon as I added Diego, it forced Nathan to respond.
Aside from a lawsuit, the bug drew scrutiny from New York Attorney General Letitia James and Governor Andrew Cuomo who said they were investigating “Apple’s failure to warn consumers about the FaceTime bug and slow response to addressing the issue.”
The software flaw jeopardized the privacy of New York consumers, she said, adding that her office’s review will include a “thorough investigation into Apple’s response.”
Grant summed it up nicely:
The thing that surprised me the most was that this glitch happened in the first place. I’m only 14 and found it by accident instead of the people at Apple paid to find glitches.
Watch the full video report from CNBC embedded below.
Apple will deliver a fix for the eavesdropping flaw later this week.
“We have fixed the group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week,” the Cupertino firm said in a statement to media.
“We sincerely apologize to our customers who were affected and all who were concerned about this security issue,” it noted.
What are your thoughts on Apple’s initial reaction to Grant’s emails?
Could it have done more to issue a timelier response? And should there be a better process for the average user to report critical flaws like this, do you think?
Meet us in comments!