Apple quietly fixes zero-day flaw in iOS 15.0.2, but didn't credit its finder
Apple has quietly patched a zero-day vulnerability that could have given apps access to sensitive information in iOS 15.0.2, but reportedly did not credit the discoverer of the flaw.
Credit: Andrew O'Hara, AppleInsider
The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.
According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.
The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.
In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were "still investigating" back in September.
This isn't the first time that a security researcher said they were snubbed by Apple's bug bounty program. Back in September, a report shed light on complaints of security researchers being ignored, going uncredited, or failing to receive payment.
Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.
Read on AppleInsider
Credit: Andrew O'Hara, AppleInsider
The vulnerability was discovered by software developer Denis Tokarev seven months before the release of iOS 15.0.2. Back in September, Tokarev penned a blog post detailing some of his interactions with Apple's Bug Bounty Program, including the fact that he went uncredited on another fixed flaw.
According to Bleeping Computer, Tokarev reached out to Apple after the release of iOS 15.0.2 to inquire about the lack of credit. Apple replied by asking him to keep the contents of their email exchange confidential.
The flaw was an exploitable bug that could have given user-installed apps from the App Store unauthorized access to sensitive data that would normally be protected by sandboxing or Transparency, Consent, and Control protections. Apple says those flaws are worth up to a $100,000 bounty.
In total, Tokarev reported four vulnerabilities to Apple. The company fixed one of them in iOS 14.7 and the second in iOS 15.0.2. Two of the zero-day flaws are still present in the latest version of iOS 15. Apple said they were "still investigating" back in September.
This isn't the first time that a security researcher said they were snubbed by Apple's bug bounty program. Back in September, a report shed light on complaints of security researchers being ignored, going uncredited, or failing to receive payment.
Apple, for its part, characterizes the bug bounty program as a "runaway success." It noted that it works to correct any mistakes that it makes quickly.
Read on AppleInsider
Comments
Just trying really hard to find a reason for this approach from Apple. It's much more likely that the whole bug bounty system is mismanaged and under-funded because someone at Apple has decided it doesn't matter, and that someone is not getting heat from upper management about it.
Time for an email to Tim!
If Apple doesn’t provide the proper assurances and follow-through, I think that it’s far more likely that researchers will get frustrated and try to embarrass Apple.
Since Apple doesn't seem to care about bugs until they get media attention, and fixing them doesn't directly result in more profit, I can't say I'm surprised they're not really interested in paying out the bug bounties.
It is published right here, Apple Security Updates, with a link to the details right here, About the security content of iOS 15.0.2 and iPadOS 15.0.2, including the same details as included with every other security update in the past.
Come on AppleInsider...