Vulnerability’s best friend: Apple employee discovers vulnerability in Chrome and doesn’t report it

The bug was discovered in March 2023 by the team Apple Security Engineering and Architecture (SEAR). But Google was not immediately notified of the error. Instead, the bug was reported by another CTF member who wasn’t even on the team that discovered it.

On July 6, a user with the nickname Gallileo, who introduced himself as an Apple employee, published his version of this story on the channel Discord. He said that it took him two weeks to find the root cause of the error, write exploit and describe the problem so that it can be corrected. He also said that the bug was reported to Google on June 5th.

Filippo Cremonese, a researcher who competes in CTF with Italy’s mhackeroni team, said such episodes are not uncommon. He noted that it was interesting that the reporter and the Google employee exchanged messages. The first report dated March 26 indicated that the bug was discovered by someone on the COPY team organized by the HXP team. The author explains that he decided to file a report because he “wasn’t 100% sure it was reported to the Chrome team.” “Because you disclose this issue, but there are no similar messages. Perhaps the team that discovered it decided not to reveal it to us?” a Google employee asks in response.

The bug was fixed on March 29th. Google sent $10,000 as a reward sisuwhich reported the error.