By Naveen Athrappully
Apple has apologized to a security researcher who detailed his “frustrating” experiences dealing with the company, after he disclosed bugs in the iOS operating system.
Apple has been criticized for the alleged mishandling of security vulnerability alerts notified through its bug bounty program. Researchers claim that this is symptomatic of the company’s bug bounty program being riddled with complications, ranging from poor communication to unresolved payment issues.
In security researcher Denis Tokarev’s post, he claims to have reported four zero-day vulnerabilities in Apple’s iOS mobile operating system. Zero-days refer to new bugs or security flaws in the system for which there are no patches currently available.
After reporting the issues to Apple, Tokarev said that Apple ignored three of them, and released a patch for the fourth one. But when the latest iOS version, 15.0, was released, the patch was not covered in the company’s security content page, and Tokarev was not given any credit.
The bugs that Tokarev investigated allowed apps to read user data like contact lists and Apple ID email, along with other personally identifying information.
Tokarev requested an explanation, and was informed by company representatives that they faced a processing issue during the listing and would get to it soon. But three new releases came with no mention about the security update, following which Tokarev decided to make details of his investigation public.
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev after his post. “We want to let you know that we are still investigating these issues and how we can address them to protect customers.”
As for the other three zero-days, a jail-breaker developer has claimed to have fixed them, according to an update on Tokarev’s blog. The bugs that Tokarev discovered were not critical, as they needed a malicious app to gain access to the App Store before exploiting user information.
But the way Apple handled the issue is what irked Tokarev, who mentioned several other security researchers who were likewise frustrated with the Apple Bug Bounty Program.
Bug bounty hunting programs allow ethical hackers and cybersecurity specialists to get paid for discovering bugs in systems and networks. Many major corporations conduct the programs to ensure safety and security for their users. Apple released its program in 2016, but researchers have blamed the company’s “insular culture” for poor communication and a large backlog of bugs yet to be patched.
“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” Luta Security CEO Katie Moussouris told The Washington Post. “What do you expect is going to happen if they report a bug that you already knew about but haven’t fixed? Or if they report something that takes you 500 days to fix it?”
Apple did not immediately respond to a request for comment.