[latexr]

Apple is notoriously stingy with bug bounties.¹ They also like to say “going to the press doesn’t help” when time and again it’s been shown they only react to bad press.

If the issue you found is “expected behaviour”, then there’s no harm in sharing it. Do it publicly while mentioning your timeline and their response. Let everyone else decide if it’s truly an issue or not. If they end up changing it, it becomes proof you found a legitimate problem. That doesn’t guarantee they’ll pay up, but they’ll get even more bad press if they don’t.

Apple has already indicated they don’t intend to pay you. By keeping the problem a secret you have no recourse and will continue not being paid. Unless you know someone at Apple which could make it happen, anything other than sharing the bug is a waste of your time and presumably harmful for users who won’t know of the problem and thus can’t protect against it.

¹ https://www.macrumors.com/2021/09/09/security-researchers-ap...

[hgezim]

Hey thanks for this take. Definitely feels like the approach I should take based on their behaviour.

Besides, what’s the harm in me discussing “intended behaviour”?

[zamnos]

I recommend waiting the industry standard 90 days before volunteering intended behavior.

[josephcsible]

Why wait? The point of the 90 days is to give them time to fix it, but if they consider it intended behavior, they aren't going to fix it.

[zamnos]

If they don't intend to fix it, then what's the problem with waiting? The bug's still gonna be there in 90 (minus however long it's already been) days and rushing disclosure really doesn't reflect well on you as a researcher to the rest of the industry. Ofc if you have your own bug, you're welcome to disclose it whenever you want, even violating NDAs if you feel like the vendor hasn't gone far enough. There may be legal repercussions with that last bit, but again, that's up to you.

[hgezim]

Oh that’s cool! I forgot about this!