[dogma1138]

They decided to spend time on finding a bug knowingly that there is no bug bounty program for OSX, this is essentially blackmail.

The other possibility is that this bug is so trivial e.g. the press enter a lot bug that you can hardly argue that a reward is warranted for their effort.

[radford-neal]

If pressing enter a lot is such a trivial way of activating a bug, why wasn't it already found by Apple?

I would hope that Apple employs dozens of people at $100K or more a year to find bugs in macOS. Why wouldn't they pay comparable amounts to incentivize others to find bugs?

Failure to do so is a significant indication of their priorities.

[dogma1138]

I didn’t said they shouldn’t pay estimating the effort for finding a vuln is a silly practice, however if it was trivial to find and essentially being stumbled upon you can’t say they must pay for your effort because there was no real effort involved.

And I would bet that Apple pays its security engineers well above 100K.

[dwaite]

It is more akin to holding a user base hostage; if I were a company with a bug bounty program I would permanently ban Linus Henze from participating. This is highly unprofessional behavior.