Apple quietly fixes zero-day flaw in iOS 15.0.2, but didn't credit its finder

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple has quietly patched a zero-day vulnerability that could have given apps access to sensitive information in iOS 15.0.2, but reportedly did not credit the discoverer of the flaw.

The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.

According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.

The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.

In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were "still investigating" back in September.

This isn't the first time that a security researcher said they were snubbed by Apple's bug bounty program. Back in September, a report shed light on complaints of security researchers being ignored, going uncredited, or failing to receive payment.

Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.