Security researchers report that zero-day vulnerabilities reported to Apple are silently fixed

Apple released iOS 15.0.2 on October 12, 2021. iOS 15.0.2 fixes zero-day vulnerabilities, but it is clear that the zero-day vulnerabilities related to Game Center that developer Dennis Tokarev reported seven months ago were also quietly fixed. It has become.

Apple silently fixes iOS zero-day, asks bug reporter to keep quiet
https://www.bleepingcomputer.com/news/apple/apple-silently-fixes-ios-zero-day-asks-bug-reporter-to-keep-quiet/

This time, Apple secretly fixed one of the four zero-day vulnerabilities reported by developer Tokarev from March to May 2021, ' Zero-day vulnerabilities in Game Center .' .. Tokarev released the details in September 2021 as the zero-day vulnerability he reported had been left unattended by Apple for several months.

How do malware apps break into the App Store? --GIGAZINE

The zero-day vulnerability reported by Tokarev has been fixed multiple times since iOS 14.7 released in August 2021. However, Apple did not mention in the official release notes that it fixed the zero-day vulnerability.

When Tokarev asked why the zero-day vulnerability wasn't included in the update details, he said, '(The reason I couldn't publicly explain that I fixed the zero-day vulnerability reported by Tokarev) was a processing issue. , Will be included in the security advisory with credits in a future update. We apologize for any inconvenience, 'Apple explained.

And this time, the 'zero-day vulnerability in Game Center' reported by Tokarev in iOS 15.0.2 has been silently fixed. Mr. Tokarev noticed that the 'zero-day vulnerability that exists in Game Center' that he reported was fixed silently again, so he sent an email to Apple again asking for explanation. At that time, Apple asked Mr. Tokarev to 'treat the exchange of emails confidentially.'

Seems that they don't have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it's up to them, I won't disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk

— Denis Tokarev (@ illusionofcha0s) October 13, 2021

In addition, when reporting a zero-day vulnerability to Apple, there have been an increasing number of reports in recent years that the bug has been secretly fixed. Security researcher Jose Rodriguez released to the public on September 22, 2021 'Vulnerability that allows access to the memo app without unlocking the iPhone' by using the VoiceOver function and sharing tools. Has also been silently fixed with the release of iOS 15.0.1.

Fixed a vulnerability in Apple that could bypass the lock screen in iOS 15.0.1, but pointed out that it did not pay a bug bounty --GIGAZINE

Some security researchers who have silently fixed their zero-day vulnerabilities complain that they are not receiving the bounty they would get from reporting to the bug rewards program.