Last month security researcher Denis Tokarev, aka illusionofchaos, shared his experience of reporting three zero-day iOS vulnerabilities to Apple with specific criticism around how the company is slow to respond, act, and didn’t give him credit for one of the three flaws that were patched. Now it appears Apple has fixed another zero-day flaw, this one in iOS 15 that Tokarev found earlier this year, without giving him credit.

In September, Tokarev said that after waiting up to half a year since reporting some of the vulnerabilities to Apple, he decided to go public with the information.

At the end of September, Tokarev shared that he got a response from Apple that said they were still working on the “issues” and apologized for the delay.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI – in 120). I have waited much longer, up to half a year in one case.

In his September blog post, Tokarev detailed a gamed zero-day flaw (one of three) that would allow any app installed from the App Store to gain access to personal user data such as Apple ID email and full name, Apple ID auth token, complete file system read access to the Core Duet database, and more.

Now Tokarev says Apple has patched the gamed zero-day he discovered in the iOS 15.0.2 security update without crediting him (via BleepingComputer).

After the first zero-day flaw Tokarev discovered and reported to Apple and he wasn’t credited when it was fixed in iOS 14.7 (July 19), the company told him:

After the second was patched in iOS 15.0.2 with credit to “an anonymous researcher,” Tokarev said Apple did respond to him in six hours, but apparently didn’t have a way to fix the problem of properly citing him. Meanwhile, Apple still hasn’t responded to the analyticsd zero-day he found that was patched in iOS 14.7.

“Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience.”

Tokarev was asked to keep the latest emails from Apple confidential and he has followed that request at this time.

Seems that they don’t have a separate protocol on handling reports which were already disclosed. And if this message contains a legit excuse, they could save a tiny bit of reputation by making it public. But it’s up to them, I won’t disclose full message until I get credit. 2/3 pic.twitter.com/iG6waUELtk

— Denis Tokarev (@illusionofcha0s) October 13, 2021

However, they haven’t replied to my second email continuing to ignore my questions about analyticsd vulnerability which I asked exactly a month ago. pic.twitter.com/sFUhMzvAAU