According to the latest report, last month, security researcher Denis Tokarev shared his experience of reporting three zero-day iOS vulnerabilities to Apple and criticized how Apple responded Slow, slow to act, and failed to patch one of the three reported vulnerabilities in a timely manner.
It now appears that Apple has fixed a zero-day vulnerability. This vulnerability is a vulnerability in the iOS 15 system discovered by Denis Tokarev earlier this year, but Apple did not sign him and expressed its gratitude.
In September of this year, Tokarev said that after reporting some vulnerabilities to Apple and waiting for as long as six months, he decided to make this information public.
Seems that they don’t have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it’s up to them, I won’t disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk
— Denis Tokarev (@illusionofcha0s) October 13, 2021
Ten days ago, I asked for an explanation and was warned at the time that if I did not get an explanation, I would study it publicly. My request was ignored, so I am doing what I said. My actions are in compliance with responsible disclosure. Guidelines (Google Project Zero disclosed the vulnerabilities within 90 days after reporting to the vendor ZDI). I waited longer, in one case as long as six months.
At the end of September, Tokarev shared that he had received a response from Apple saying that they were still dealing with these problems and apologized for the delay.
Join RealMi Central on Telegram, Facebook & Twitter
In his September blog post, Tokarev detailed a manipulated zero-day vulnerability (1 out of 3). The vulnerability would allow any application installed from the App Store to obtain personal user data. Such as Apple ID email and full name, Apple ID authorization token, full file system read access to the Core Duet database and others.
Now Tokarev says that he has discovered that Apple has patched the zero-day vulnerabilities in the game it discovered in the iOS 15.0.2 security update, but he has not attributed it to him. When Tokarev discovered and reported the first zero-day vulnerability to Apple and was fixed in the official version of iOS 14.7 (July 19), he was not rewarded, Apple told him.
Due to processing issues, your reward will be included in the security recommendations in the upcoming update. We apologize for the inconvenience caused. After patching the second vulnerability in iOS 15.0.2 and owing to it to an anonymous researcher, Tokarev said that Apple did respond to him within six hours, but apparently, there was no way to correct it. Quoting his question. At the same time, Apple still did not respond to the compensation for the analytics zero-day vulnerability that he discovered that was patched in iOS 14.7.
Tokarev was asked to keep Apple’s latest email confidential, and he has also complied with this request.