[eridius]

As tptacek loves to point out, the point of bug bounty programs is not to compete on price with the black market. And in fact, according to the article, the $200k Apple is offering is one of the highest for corporate bug bounty programs already.

[tptacek]

That $200k boot ROM bounty might be the single instance I know of where a stated bounty value might be lower than the actual market for the vulnerability. If you were slick, you might make more from that bug than Apple would pay with the bounty. That is a bug class with a current, existing, liquid market.

The rest of them seem more than reasonable.

None of them are adequate compensation for the full-time work of someone who can find those kinds of bugs. Nor are they meant to be. If you can, for instance, find a bug that allows you to violate the integrity of the SEP, you have a market value as a consultant significantly higher than that $100k bug bounty --- which will become apparent pretty quickly after Apple publicly thanks you for submitting the bug, as they've promised to do.