Recently, Google revealed an intriguing incident where an Apple employee had discovered a zero-day bug in Chrome but chose not to report it. The bug was eventually fixed by Google, but the circumstances surrounding its discovery and reporting are rather peculiar.
According to a Google employee’s comments in the official bug report, the Apple employee found the bug during a Capture The Flag (CTF) hacking competition in March. However, they did not report it at that time, leaving it as a zero-day vulnerability, meaning Google was unaware of it, and no patch had been issued. Interestingly, it was someone else who participated in the same competition, not the Apple employee, who eventually reported the bug to Google.
The Google employee stated, “This issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022.”
After the news broke, a Discord channel surfaced where an individual claiming to be the Apple employee who found the bug shared their side of the story. This person, referred to as Gallileo, explained that it took them two weeks of full-time work to root cause, create an exploit Proof of Concept, and write up the issue. They also cited various reasons for the delayed report, including the need to identify the responsible person and obtain necessary approvals, as the person in question was Out of Office (OOO) during that period.
Gallileo defended the decision to report the bug late, stating that the issue was likely not of great concern in real-world scenarios, as it didn’t affect Android devices and caused only minor disruptions to the Chrome GUI.
Both Gallileo and sisu did not respond to requests for comment.
Apple did not provide any comments on the matter.
While it is not uncommon for CTF teams to find zero-days during competitions, this particular incident is noteworthy due to an Apple employee discovering a bug in a Google product and deciding not to report it.
The bug was ultimately fixed by Google on March 29, and they awarded a bug bounty of $10,000 to the person who reported it, despite them not being the one who originally found it.
The incident highlights the intricacies of bug reporting and disclosure, as well as the competitive nature of CTF competitions, where discovering vulnerabilities is not uncommon. However, it is essential for cybersecurity teams and companies to foster a responsible and transparent reporting culture to address such vulnerabilities promptly and effectively.