Apple has apologized to a security researcher who detailed his “frustrating” experiences dealing with the company, after he disclosed bugs in the iOS operating system.
Apple has been criticized for the alleged mishandling of security vulnerability alerts notified through its bug bounty program. Researchers claim that this is symptomatic of the company’s bug bounty program being riddled with complications, ranging from poor communication to unresolved payment issues.
The bugs that Tokarev investigated allowed apps to read user data like contact lists and Apple ID email, along with other personally identifying information.
Tokarev requested an explanation, and was informed by company representatives that they faced a processing issue during the listing and would get to it soon. But three new releases came with no mention about the security update, following which Tokarev decided to make details of his investigation public.
“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” Apple told Tokarev after his post. “We want to let you know that we are still investigating these issues and how we can address them to protect customers.”
As for the other three zero-days, a jail-breaker developer has claimed to have fixed them, according to an update on Tokarev’s blog. The bugs that Tokarev discovered were not critical, as they needed a malicious app to gain access to the App Store before exploiting user information.
But the way Apple handled the issue is what irked Tokarev, who mentioned several other security researchers who were likewise frustrated with the Apple Bug Bounty Program.
Bug bounty hunting programs allow ethical hackers and cybersecurity specialists to get paid for discovering bugs in systems and networks. Many major corporations conduct the programs to ensure safety and security for their users. Apple released its program in 2016, but researchers have blamed the company’s “insular culture” for poor communication and a large backlog of bugs yet to be patched.
Apple did not immediately respond to a request for comment.