SAN FRANCISCO — On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected discovery: Using FaceTime, Apple’s video chatting software, he could eavesdrop on his friend’s phone before his friend had even answered the call.

His mother, Michele Thompson, sent a video of the hack to Apple the next day, warning the company of a “major security flaw” that exposed millions of iPhone users to eavesdropping. When she didn’t hear from Apple Support, she exhausted every other avenue she could, including emailing and faxing Apple’s security team, and posting to Twitter and Facebook. On Friday, Apple’s product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report.

But it wasn’t until Monday, more than a week after Ms. Thompson first notified Apple of the problem, that Apple raced to disable Group FaceTime and said it was working on a fix. The company reacted after a separate developer reported the FaceTime flaw and it was written about on 9to5mac.com, a news site for Apple fans, in an article that went viral.

The bug, and Apple’s slow response to patching it, have renewed concerns about the company’s commitment to security, even though it regularly advertises its bug reward program and boasts about the safety of its products. Hours before Apple’s statement addressing the bug Monday, Tim Cook, the company’s chief executive, tweeted that “we all must insist on action and reform for vital privacy protections.”