| On the 3rd of March, I happened on a severe security vulnerability on an Apple product. Immediately, I reported it to them via the Apple Security Research program. In the initial report, I didn't know I could upload videos and I asked them if I can upload my video proof to YouTube (unlisted). They told me not to — presumably because they didn't want this to be public. It took them until another 9 days (March 14th) to decide that this wasn't an issue. At that point the ticket got marked as "This is expected behavior." I'm convinced that if this vulnerability is made public, Apple would change their mind about it's severity. I'm not sure if I can share it, though, as they might use it as an excuse not to pay me a bounty. Thoughts on how to approach this? PS: I asked them if I could post it publicity after they closed the ticket but haven't heard anything from them. |
If the issue you found is “expected behaviour”, then there’s no harm in sharing it. Do it publicly while mentioning your timeline and their response. Let everyone else decide if it’s truly an issue or not. If they end up changing it, it becomes proof you found a legitimate problem. That doesn’t guarantee they’ll pay up, but they’ll get even more bad press if they don’t.
Apple has already indicated they don’t intend to pay you. By keeping the problem a secret you have no recourse and will continue not being paid. Unless you know someone at Apple which could make it happen, anything other than sharing the bug is a waste of your time and presumably harmful for users who won’t know of the problem and thus can’t protect against it.
¹ https://www.macrumors.com/2021/09/09/security-researchers-ap...