[sillysaurusx]

> Thanks a lot Maddie! Sure, I wanted to write a full exploit and achieve tfp0 before submitting because it affects the submission quality. I'm pretty busy right now, so I planned to work on it after August. I did plan to submit it, but I wanted to get an exploit first :)

As a former pentester, that's precisely the opposite of the correct thing to do. tptacek could phrase this more eloquently, but pentesters do not try to weaponize exploits. The whole point of exploiting is to demonstrate that a vuln exists. Once that demonstration is complete, weaponization serves no purpose.

(No purpose for protecting users, anyway, which is the whole point of pentesting.)

I'm surprised no one seems to care. Maybe times are changing.

[aj3]

Apple is asking for "a reasonably reliable exploit" for full bounty payment: https://developer.apple.com/security-bounty/

[saagarjha]

Apple will generally not award you a bounty unless you send them a full chain.

[sillysaurusx]

Oh. Then it's totally justified. My mistake.

I didn't realize that there might be a difference in the awarded bounty level. That's... unfortunate for them. As you can see here, he was sitting on this for some time.

[_kbh_]

The only 'correct' thing to do is whatever the person who discovered the bug wants to do. Responsible disclosure is a nicety that most people in the industry follow, it is not a requirement.