They claim to love security and privacy. So it is hard to see how this situation came to pass. They wouldn't be lying to everyone, now would they? Researcher drops three iOS zero-days that Apple refused to fix
The researcher has followed responsible disclosure. He waited 6 months - double the 90 days Google Project Zero uses as a benchmark - in the case of one of the bugs. Apple did fix one bug that he notified them of, but without mentioning it and without paying for it.
Click thru for the details on these 3 zero-days. But there is one thing that really caught my attention.
It seems that this is not one-off occurance, but that Apple has a tendency to NOT live up to the terms of its published bug-bounty.
Other security researchers and bug bounty hunters have also gone through a similar experience when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program.
Just this year, some of them have reported that they weren't paid the amount listed on the official bounty page [1, 2] or haven't received any payment at all, others that they have been kept in the dark for months on end with no replies to their messages.
Others have also said their bugs were silently fixed with Apple refusing to give them credit, just as it happened in this case.
It isn't because they can't afford it. So it must be because they don't want to pay.
And as for Apple's "we care deeply about your privacy" statements.
"All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected," the researcher said, referring to the analyticsd zero-day silently patched in iOS 14.7.
"That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if 'Share analytics' was turned off in settings.
Some of these vulnerabilities are probably not of interest to folks like Zerodium, but some probably are, and while I don't like the idea of feeding the beast, I completely understand the "if you're going to screw me over then all bets are off" point-of-view. I wonder if Apple understands that?
The Register had even harsher things to say. Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait
"To me, the bigger takeaway is that Apple is shipping iOS with known bugs," [Patrick Wardle, founder of free security project Objective See and director of research at security biz Synack] continued, noting that IllusionOfChaos claims to have reported the bugs months ago. "And that security researchers are so frustrated by the Apple Bug Bounty program they are literally giving up on it, turning down (potential) money, to post free bugs online."
Wardle said he considered the researcher's critique of Apple's Security Bounty program to be fair.
"It's not that Apple doesn't have resources or money to fix this," he said. "Clearly it's just not a priority to them. "
And why should it be. If your iPhone gets hacked, what does it cost Apple? 15 minutes of egg on their faces? Maybe. But you agreed to the terms and conditions when you opened the shrink-wrap on your new iPhone, and those terms say that they aren't responsible for anything. (The same goes for Microsoft and Windows. Bugs don't cost them anything. But that is a story for another day.) Are you going to quit using your iPhone because of any of this?
The Register asked Apple to comment, but the brick wall did not respond.
Heh.