According to the report, Apple patched the vulnerability without crediting software developer Denis Tokarev, who had discovered and reported the bug seven months before the release of iOS 15.0.2.
Seems that they don’t have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it’s up to them, I won’t disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk
— Denis Tokarev (@illusionofcha0s)
“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience,” Apple had told Tokarev in an email in July.
Two days ago, after iOS 15.0.2 was released, Tokarev emailed again about the lack of credit for the gamed and analyticsd flaws in the security advisories. Apple replied, asking him to treat the contents of their email exchange as confidential.
This isn’t the first time Apple’s security team has asked for confidentiality. Back in August, the company had told the developer that gamed zero-day would be fixed in a future security update while urging him not to disclose the bug publicly.