Apple has apologized to a security researcher who detailed his “disappointing” experiences dealing with the company after disclosing a bug in the iOS operating system.
Apple has been criticized for its alleged mishandling of security vulnerability alerts notified through the bug bounty program. Researchers claim this is a symptom of the company’s bug bounty program being fraught with complications ranging from poor communication to unresolved payment issues.
In a post by security researcher Denis Tokarev, he claims to have reported four zero-day vulnerabilities in Apple’s iOS mobile operating system. Zero-day refers to new bugs or security flaws in the system for which no patch is currently available.
After reporting the issues to Apple, Tokarev said that Apple overlooked three of them, and issued a patch for the fourth. But when the latest iOS version, 15.0, was released, the company’s security content page didn’t cover the patch, and no credit was given to Tokarev.
The bugs Tokarev investigated allowed apps to read user data such as contact lists and Apple ID email, along with other personally-identifying information.
Tokarev requested an explanation, and was informed by company representatives that he encountered a processing problem during the listing and will receive it shortly. But there were three new releases with no mention of a security update, after which Tokarev decided to make the details of his investigation public.
“We saw your blog post about this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev after his post. Investigating the issues and how we can address them to protect customers.”
For the other three zero-days, a jail-breaker developer claims to have fixed them, according to an update on Tokarev’s blog. The bugs discovered by Tokarev were not significant, as they required a malicious app to gain access to the App Store before exploiting user information.
But the way Apple has handled the issue upset Tokarev, who mentored several other security researchers who were similarly frustrated with the Apple bug bounty program.
Bug bounty hunting programs allow ethical hackers and cyber security experts to be paid to find bugs in systems and networks. Many major corporations organize events to ensure safety and security for their users. Apple released its program in 2016, but researchers blame the company’s “insular culture” for poor communication and a huge backlog of bugs that have yet to be patched.
“You have to have a healthy bug-fixing mechanism in place before you can attempt a healthy bug vulnerability disclosure program,” Luta Security CEO Katie Mausoris told The Washington Post. “What do you expect if they report a bug you already knew but didn’t fix? Or if they report something that took you 500 days to fix?”
Apple did not immediately respond to a request for comment.
This News Originally From – The Epoch Times