AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
Apple’s latest point update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company months ago and publicly disclosed last week.
In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company’s flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.
By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users’ Apple ID information if somehow allowed onto the App Store.
Still, Apple’s handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant’s team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.
“When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update,” illusionofchaos wrote at the time. “There were three releases since then and they broke their promise each time.”
Apple saw Tokarev’s blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.
Ethical hackers have criticized Apple’s Bug Bounty Program and the company’s general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.
Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.