[tccc]

People deserve to be compensated for their work, however, to suggest selling it to the highest bidder is completely unethical. If you undertake work without a prior agreement to be paid for it, you can't go and hold the security of the userbase hostage in demanding payment.

[mdekkers]

selling it to the highest bidder is completely unethical

Whilst I don't disagree with the sentiment, "ethics" doesn't appear to have been any kind of motivator for business in general, ever. Look around you. How much of our goods and services have been produced by people working for a wage that is far below even the "living wage" threshold? What kind of life do these people live? What is their standard of living? How many of these products inflict extreme damage on the environment in some form, either directly or indirectly through the fossil fuels used and CO2 released in their production?

I strongly feel that "ethics" should become an overriding factor in where we are going as a species. But I don't agree that the place to start crying about ethics is some guy that finds problems in the product of a company with an insanely large cash reserve who's current "financial woes" are measured in "we are making a few billion dollars profit per quarter less then expected"

Apple can cry me a fucking river. It is on them to produce quality and secure products, instead of trying to squeeze every last cent of "cost reduction" out of every last element of their supply chain to the detriment of their user base. It isn't like they sell budget products, in almost all cases, Apple are the most expensive option for getting anything done.

Bug bounty programs are nothing new, and can be an effective avenue to increase the security and reliability of your products. It isn't like this guy is asking for anything outlandish, and he doesn't owe anything to anyone.

[droithomme]

One can reasonably argue that if Apple has a bounty program and therefore finds information about critical security vulnerabilities in their products valuable, that one should prefer to sell information about such to them.

However the situation is that they do not and thus the absolute economic fact is that Apple considers such information utterly without value. Given these there are no obligations upon hard working security researchers and they are free to sell to someone who does find such information at the least trivially valuable. In fact it would be utterly unethical to do otherwise. A man is worthy of compensation for his labor provided that labor has value. If one party finds his labor of no value that is not a problem. If some other party, such as the NSA, finds it valuable then they have the right to sell it.

Obviously there are (unethical and disingenuous) trolls who will bring up scenarios where things are illegal. We are not considering those. Implicit is that this is an economic transaction. Which can consider ethics, such as the right to be paid for valuable labor. But does not extend to the right to commit crimes. The constraint here, obvious, is that we are discussing legal commercial transactions for legally performed work.