Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple 'still investigating' unpatched security flaws in iOS 15

Credit: Andrew O'Hara, AppleInsider

Apple has responded to a security researcher who claimed that the company ignored several of his vulnerability reports, stating that it is "still investigating" the issues.

Earlier in September, security researcher Denis Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program. Tokarev said that, out of the four security flaws he had submitted to Apple, only one was fixed.

The other three bugs were left unfixed in the released version of iOS 15, Tokarev told Motherboard. In response to his blog post, Apple apologized for the delay in communication and added that it was investigating the issue.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told Tokarev. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."

In addition to the three bugs that Apple is still working on, Tokarev said that he was not credited for reporting the one vulnerability that the company fixed.

The three unpatched bugs include a flaw that could allow App Store apps to read certain data like an Apple ID email, contacts lists, and other information. However, Tokarev notes that none of the three are critical vulnerabilities, which may explain Apple's lag in fixing them. Tokarev reported the bugs between March 10 and May 4, 2021.

At least one cybersecurity expert told Motherboard that Apple's handling of the situation isn't normal, while another said that the company likely responded to Tokarev because of the media coverage of the unpatched flaws.

Other security researchers have criticized Apple's bug bounty program for poor communication and confusion about payouts. Apple, for its part, characterizes the program as a "runaway success."



3 Comments

bloggerblog 2520 comments · 16 Years

It’s getting harder for Apple to maintain all back doors when those pesky security researchers keep finding them

michelb76 700 comments · 8 Years

so, again, the way to get a dialog with Apple is to throw the dirty laundry out on the street. Why?? How many departments are as dysfunctional as this one?

MplsP 4047 comments · 8 Years

michelb76 said:
so, again, the way to get a dialog with Apple is to throw the dirty laundry out on the street. Why?? How many departments are as dysfunctional as this one?

Stories like this aren’t isolated - there have been many, repeated reports about apple ignoring bug reports from security researchers, failing to pay bug bounties, etc. Enough that they can’t be blown off as isolated incidents or a couple of disgruntled hackers.

Apple is notorious for being tight-lipped and secretive, but this is an area where they need to open up. It affects their reputation, but more importantly, it affects us, their users.