- DEMO PAGE Cybersecurity in Massachusetts
Apple has silently fixed a 'gamed' zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information.
The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released. In July, Apple also silently patched an 'analyticsd' zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update. Since then, Apple published multiple security advisories (iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS vulnerabilities but, each time, they failed to credit his analyticsd bug report.
Other bug bounty hunters and security researchers have also reported having similar experiences when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program. Others weren't paid the amount listed on Apple's official bounty page or haven't received any payment at all, while some have been kept in the dark for months on end with no replies to their emails.
Apple has not replied to emails from tech website and blog BleepingComputer sent since September 24, asking for an official statement and more details.
Sources:
Apple silently fixes iOS zero-day, asks bug reporter to keep quiet | BleepingComputer