Apple patched an iOS lock screen bypass without crediting its discovery

In September, researcher Jose Rodriguez detailed an iOS vulnerability that enables attackers to bypass a secured iPhone lock screen and access notes through a combination of VoiceOver and common sharing tools.

Rodriguez published a proof of concept on his YouTube channel on Sept. 20, illustrating methods by which a user's notes can be copied and sent to another device. The researcher did not disclose the vulnerability to Apple prior to going public, saying at the time that he was "giving away" the exploit in hopes of shedding light on problems related to the tech giant's Bug Bounty Program.

As noted by Rodriguez in a Twitter post on Friday, Apple's iOS 15.0.1 release contains a fix for the lock screen bypass. Accompanying release notes show that Apple did not assign a CVE designation or provide credit to the researcher for discovering the flaw. The company pulled a similar move last month when it quietly fixed a macOS Finder bug.

A report last week saw researchers criticize Apple's Bug Bounty Program for a general lack of communication and issues with payouts for discovered vulnerabilities. Those sentiments were recently echoed by security researchers Denis Tokarev, Bobby Rauch and Rodriguez, all of whom discovered and reported bugs to Apple.

The tech giant's head of security engineering, Ivan Krstic, in an interview last month called the program a "runaway success," adding that Apple is gathering feedback as it continues to "scale and improve" the initiative. Apple works hard to address mistakes and "learn from them to rapidly improve the program," he said at the time.

Recent reports indicate that Apple hired a new team lead to reform the Bug Bounty Program.