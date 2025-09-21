Three iOS 0-days revealed by researcher frustrated with Apple's bug bounty:
Yesterday, a security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple's iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher's frustration with Apple's Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.
[...] illusionofchaos says that they've reported four iOS security vulnerabilities this year—the three zero-days they publicly disclosed yesterday plus an earlier bug that they say Apple fixed in iOS 14.7. It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.
[...] According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability.
Apple told illusionofchaos that its failure to disclose the vulnerability and credit them was just a "processing issue" and that proper notice would be given in "an upcoming update." The vulnerability and its resolution still were not acknowledged as of iOS 14.8 on September 13 or iOS 15.0 on September 20.
Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week's three zero-days. In illusionofchaos' own words: "Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would."
[...] Assuming illusionofchaos' description of their disclosure timeline is correct—that they've waited for longer than 30 days, and in one case 180 days, to publicly disclose these vulnerabilities—it's hard to fault them for the drop. We do wish they had included full timelines for their interaction with Apple on all four vulnerabilities, rather than only the already-fixed one.
[...] Since Ars published a piece earlier this month about Apple's slow and inconsistent response to security bounties, several researchers have contacted us privately to express their own frustration. In some cases, researchers included video clips demonstrating exploits of still-unfixed bugs.
We have reached out to Apple for comment, but we have yet to receive any response as of press time. We will update this story with any response from Apple as it arrives.