A story about an Apple and two fetches
Mistreatment by Apple Security is unfortunately something you’re likely to come across on a regular basis. Usually this concerns people that conduct free work for Apple in their spare time by auditing their assets. Despite Apple’s website claiming the opposite, you’ll frequently find things like quiet patching, no credit, no bounties, and an appalling lack of communication.
This is unwise on Apple’s part because it frustrates people who find these bugs and disincentivizes them from sharing them with Apple. Remember, every bug that gets reported to them (instead of being sold to some shady outfit) and that gets fixed subsequently is one that can not be exploited in the future to make your device less safe. The very least they can do to honour the work of independent researchers is to communicate clearly and give them credit where appropriate.
Last year on June 30th 2020, I discovered a vulnerability in Apple’s kernel (darwin-xnu), which I promptly reported. On July 2, 2020, I received notification that my report had been examined and that they were looking into the issue. A few days later, I asked if I could be kept informed of any updates, and they indicated there were none at the time. I never heard from them again after that.
