Apple fixes zero-day flaw in iOS, doesn't credit reporter
Apple has silently fixed second of the four flaws reported by Security Researcher Denis Tokarev without crediting him
October 14, 2021 / 03:05 PM IST
With iOS 15.0.2, Apple has quietly fixed another zero day vulnerability
In September, Security Researcher Denis Tokarev put up a blog post writing about his experience with Apple's security bounty program. Tokarev said that he reported four zero-day security vulnerabilities between March 10 and May 4.
Apple quietly fixed one of them with the iOS 14.7 release but did not credit Tokarev in the advisory. When Tokarev reached out, Apple apologised and assured him that the missing listing was due to a processing issue, and that further updates will have them listed. After three more updates, Tokarev was still not given the credit.
Now, with the release of iOS 15.0.2, Apple fixed another one of the four issues that could have let hackers gain access to sensitive information but have once again neglected to credit Tokarev.
When contacted by Tokarev, Apple simply told him, "We ask you treat the following information as confidential," over an email exchange, that Tokarev shared on Twitter.
Two of the four vulnerabilities are still unpatched and Apple continues to ignore any questions that Tokarev have asked them about it.
Other security researchers have reported similar issues with Apple's Security Bounty Program. Many have complained that Apple failed to pay them or put their queries on hold and kept them in the dark, for months on end.
Speaking with BleepingComputer, Tokarev said, "All things considered, they treat gamed vulnerability a bit better than analytics, at least they don't ignore me and lie to me this time."