Apple 'still investigating' unpatched security flaws in iOS 15

Credit: Andrew O'Hara, AppleInsider

Earlier in September, security researcher Denis Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program. Tokarev said that, out of the four security flaws he had submitted to Apple, only one was fixed.

The other three bugs were left unfixed in the released version of iOS 15, Tokarev told Motherboard. In response to his blog post, Apple apologized for the delay in communication and added that it was investigating the issue.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told Tokarev. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."

In addition to the three bugs that Apple is still working on, Tokarev said that he was not credited for reporting the one vulnerability that the company fixed.

The three unpatched bugs include a flaw that could allow App Store apps to read certain data like an Apple ID email, contacts lists, and other information. However, Tokarev notes that none of the three are critical vulnerabilities, which may explain Apple's lag in fixing them. Tokarev reported the bugs between March 10 and May 4, 2021.

At least one cybersecurity expert told Motherboard that Apple's handling of the situation isn't normal, while another said that the company likely responded to Tokarev because of the media coverage of the unpatched flaws.

Other security researchers have criticized Apple's bug bounty program for poor communication and confusion about payouts. Apple, for its part, characterizes the program as a "runaway success."