[bastawhiz]

That's easy to say when you're not a security researcher whose income depends on getting paid for finding vulnerabilities—a career that wouldn't exist if Apple hadn't created the bounty program in the first place. It's really bad when you do good work that a third party goes back on their promise to pay you for: it's not always possible to accept the L and move on without pay.

[hifromwork]

I'm a security researcher, but it's true that my income doesn't depend on getting paid for security vulnerabilities[1]. On the other hand, I'm old enough to remember when bug bounties didn't exist and yet (most) people did the right thing and disclosed their finds responsibly.

If the bug from OP falls under Apple's bug bounty and yet Apple refuses to pay, it's a very shitty behaviour and I hope they're forced to pay by the backlash and the researcher is made right. But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction. If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.

[1] I'm mostly dealing with the people abusing the vulnerabilities, so that may influence my worldview.

[bastawhiz]

It's pretty undeniable that there exists a significant cohort of folks whose sole reason for getting into security is to find vulnerabilities to collect bounties. Beg bounties are that taken to an extreme.

> But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction.

I'm sure lots of people will! But that won't necessarily stop folks from saying "I've discovered a vulnerability that would yield me an amount of money that would substantially improve my near-to-medium-term quality of life" and doing what's necessary to profit from that. Apple's program _necessarily_ inflates the amount of money a vulnerability sells for through immoral channels regardless of whether anyone is participating in it.

> If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.

This might be true for you, but that doesn't mean it's true for even a majority of other people.

[ffsm8]

> yet (most) people did the right thing and disclosed their finds responsibly.

How would you know? I'm not a security researcher and still know that there were always multiple avenues for selling vulns, and most weren't public.

So really, what makes you think you can make that statement with any kind of confidence?