Apple says investigating flaws in iOS 15 pointed out by security researcher
Apple put out a statement after researcher Denis Tokarev detailed his interaction with the Security Bounty Program in a blog post
September 28, 2021 / 01:31 PM IST
Apple says its still investigating the issues bought forth by Tokarev
Security Researcher Denis Tokarev put up a blog post earlier this month, detailing his frustrating experience with Apple's Security Bounty Program.
Tokarev says that he reported four zero-day vulnerabilities in Apple's iOS between March 10 and May 4. Only one of them was fixed with the iOS 14.7 release, and the three remaining are still present in iOS 15. Worse, Apple also neglected to put these issues on the Security Content Page.
When confronted by Tokarev, Apple apologised and assured that the missing listings were due to a processing issue and promised they would have the flaws listed. Three more releases of iOS later, the issues are still missing.
Tokarev then requested that the flaws be listed or he will, in accordance with disclosure guidelines, make them public. His requests were ignored and he penned a blog post detailing the issues.
In response, Apple has now reached out to Tokarev.
"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told the researcher.
"We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."
Tokarev has also pointed out the fact that the one flaw they did fix, was not credited to him.
While Apple says its Security Bounty Program is a success, many researchers have spoken out against the company's poor communication practices and payout confusions.