In early September, security researcher Denis Tokarev wrote a blog post in which he reluctantly complained about some interactions with Apple’s bug bounty program. The matter originated from four security vulnerabilities submitted to Apple through the Bug Nounty Program. However, after waiting for a long time, he found that only one was fixed. The latest news is that Apple has responded to this matter, claiming that it is “still investigating” related issues.
In an interview with Motherboard, Tokarev said that in the iOS 15 update that was launched earlier, the other three vulnerabilities were not fixed in time. Now, Apple has apologized for the delay in communication and added that the company is investigating related issues.
We have seen your blog posts and other reports on this issue, and apologize for the late response. We want you to know that we are still investigating these issues and how we fix them to protect our customers. Thank you again for taking the time to report these issues to us. If you need assistance, please let me know.
However, with the exception of the three buildings that Apple is still repairing, Tokarev said that he was not praised for reporting the bug that was fixed.
It is reported that the three unpatched vulnerabilities include a flaw, or cause the App Store application to read certain data including Apple ID, email address, contact list, etc. However, Tokarev also admitted that none of the three vulnerabilities reported between March 10 and May 4, 2021 were so serious, so it can understand to a certain extent that Apple’s priority for them is not that high.
Finally, despite Apple’s claims that the bug bounty program was successful, at least one cybersecurity expert told Motherboard that Apple’s handling of such situations is somewhat abnormal. Another said that until the media exposed the loopholes in the maintenance department, Apple had dedicated some energy to respond to Tokarev’s doubts.