Hot on the heels of a zero-click security bug that could compromise your Mac or iPad/iPhone, a security researcher state that three zero-day bugs reported to Apple remain unfixed. That’s just one researcher; the are probably dozens of severe vulnerabities out in the wild.
Apparently, total system compromise bugs are not a top priority for Apple.
I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.
Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.
I'm not the first person that is unhappy with Apple Security Bounty program. Here are some other reports and opinions:
Here are links to GitHub repositories that contain PoC source code that I've sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI...
WIND: Apple software quality is an oxymoron. Apple Core Rot is getting worse, but that’s just for starters.
When it comes to security, your entire life and life savings could be impacted. Think of having your Mac or iPad/iPHone compromised, which then results in all your financial accounts being drained. It can and will happen to some unlucky people.
So we have a company whose propaganda is all about security and privacy that now wants to insert spyware infrastructure into iOS and macOS, while being slow to act or not acting at all on critical security bugs.