A security researcher recently published details about a Safari browser bug after Apple delayed creating a patch.
The bug is contained in Safari's implementation of the Web Share API, a cross-browser API for sharing text, links, files, and other content. The bug could be used to leak or steal files from users' devices. For example, malicious web pages could invite users to email an article to their friends then secretly steal a file from their device.
The researcher who discovered the bug said that it is "not very serious" because social engineering and user interaction is necessary for files to be leaked. However, he did say that it is easy for cybercriminals "to make the shared file invisible to the user."
The researcher first reported the bug to Apple in April 2020. However, Apple delayed patching the bug until spring of 2021. Apple also allegedly tried to stop the researcher from publishing his findings until next spring.
Others have accused Apple of delaying patches and trying to silence security researchers. Google's Project Zero security team refused to participate in Apple's Security Research Device program because it claimed the rules were designed to limit public disclosure and keep researchers silent about their findings.
The infosec industry generally accepts a standard 90-day vulnerability disclosure deadline. Catalin Cimpanu "Security researcher discloses Safari bug after Apple delays patch" zdnet.com (Aug. 25, 2020).