On Thursday, a security researcher frustrated with Apple’s Security Bounty program, Denis Tokarev, revealed three zero-day vulnerabilities in Apple’s iOS operating system to express his frustration with Apple over its security bounty program. Apple has now apologized to Tokarev.
Tokarev reported the vulnerabilities to Apple between March 10 and April 29, but the last time he heard back from Apple about the three vulnerabilities was August 6, August 12, August 25, respectively. Then the researcher said he told Apple on September 13 he would publish details of the bugs unless he heard back.
It was only after he went public with details about the unpatched bugs that Apple reached out, according to Tokarev, who shared Apple’s email with Motherboard.
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”
“While I’m glad Apple appears to be taking this particular situation more seriously now, it comes across as more of a reaction to bad press than anything else,” Nicholas Ptacek, a researcher who works for SecureMac, a cybersecurity company that focuses on Apple computers…
The vulnerabilities Tokarev found, as he himself admitted and security researchers agreed, are not highly critical, as they could only be exploited by a malicious app that would need to get on the App Store and then on people’s devices.
MacDailyNews Take: Apple is notoriously bad with communication, especially with the outside world; it’s a very insular company, to a fault sometimes (most times). We expect an update to patch the three vulnerabilities will (now) be coming soon.