[throwaway3627]

It depends on how an exploit is monetized; the devils is in the terms: exclusivity, duration, scope and level of access. A non-exclusively-licensed exploit that can be sold 50x for $50k/year is bank ($2.5m/yr). If I were to spend 6-9 months developing a good exploit, I wouldn't give it Apple if and only if money were the primary and sole motivation. However, it makes sense to blog about it, turn it in to Apple and leverage such a discovery into outside Angel funding for a startup... that is if Apple doesn't require onerous NDAs. If the terms from Apple weren't favorable (they're likely to be terrible), then reselling it makes sense if you were really broke or going nonprofit security disclosure route at least parlays it into cred.