Apple has responded to a security researcher who claimed that the company ignored several of his vulnerability reports, stating that it is "still investigating" the issues.
Earlier in September, security researcher Denis Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program. Tokarev said that, out of the four security flaws he had submitted to Apple, only one was fixed.
The other three bugs were left unfixed in the released version of iOS 15, Tokarev told Motherboard. In response to his blog post, Apple apologized for the delay in communication and added that it was investigating the issue.
"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told Tokarev. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."
In addition to the three bugs that Apple is still working on, Tokarev said that he was not credited for reporting the one vulnerability that the company fixed.
The three unpatched bugs include a flaw that could allow App Store apps to read certain data like an Apple ID email, contacts lists, and other information. However, Tokarev notes that none of the three are critical vulnerabilities, which may explain Apple's lag in fixing them. Tokarev reported the bugs between March 10 and May 4, 2021.
At least one cybersecurity expert told Motherboard that Apple's handling of the situation isn't normal, while another said that the company likely responded to Tokarev because of the media coverage of the unpatched flaws.
Other security researchers have criticized Apple's bug bounty program for poor communication and confusion about payouts. Apple, for its part, characterizes the program as a "runaway success."
3 Comments
It’s getting harder for Apple to maintain all back doors when those pesky security researchers keep finding them
so, again, the way to get a dialog with Apple is to throw the dirty laundry out on the street. Why?? How many departments are as dysfunctional as this one?