Will security researchers have to publicly disclose iOS flaws before their fixes for Apple to take them seriously? This is undesirable because the disclosure of vulnerabilities without any risk patch Not already distributed represents a real danger not only to Apple, but also to users and above all else.
But sometimes the builder does not give any other option. Denis Tokarev, aka “IllusionOfChaos”, made public a number of security vulnerabilities affecting iOS last week; If one of them was fixed in iOS 14.7, three more still exist in iOS 15.
Apple is still dragging its feet to reward security researchers
Tokarev warned Apple about these three flaws between March 10 and April 29. They got the acknowledgment of receipt in August, then nothing. On 13 September, he warned that he would publish information about these vulnerabilities unless the manufacturer got back to him.
Apple responded… but after The publication of his post reveals the weaknesses in question. ” We have seen your post about the problem and your other reports. We are sorry for the delay in response » writes an employee.
In other words, it took the researcher to make a splash and be picked up by the press for Apple to decide to reconnect. By the way, it’s a reminder of what developers should often do to get clarification on a particular decision from the App Store.
Regardless, Apple is still investigating the three faults in question and how they can be fixed. Fortunately, these are not significant vulnerabilities; In order to exploit them, a malicious application has to be installed, and only the App Store can distribute them, not without going through Apple’s sieve first.
La Pomme recently announced improvements to its bug-hunting program, and above all, worked intensively to win the favor of security researchers again.
Apple will improve its bug bounty to attract very enthusiastic security researchers
Prone to fits of apathy. Music specialist. Extreme food enthusiast. Amateur problem solver.