1) Suppose Apple sells potentially vulnerable software to users and knowingly refuses to curb market demand for potential exploits to the benefit of their bottom line. When a zero-day is discovered and sold to the highest bidder, what percentage of the blame does Apple deserve?
2) How does that percentage change with respect to the following? (a) potential number of users affected (b) cost of a bounty program as a percentage of total profit from sale of the vulnerable software
And yes, he may have spent millions in hours to find this issue, but that’s a sunk cost now.
It's reasonable to expect compensation for your work. Caveat that they don't sell it to someone who will exploit it.
Building or acquiring something of value in the hopes of profiting from it later is a fundamental part of life. It is why we go to school, invest in machinery, develop products, do research, etc.
Whilst I don't disagree with the sentiment, "ethics" doesn't appear to have been any kind of motivator for business in general, ever. Look around you. How much of our goods and services have been produced by people working for a wage that is far below even the "living wage" threshold? What kind of life do these people live? What is their standard of living? How many of these products inflict extreme damage on the environment in some form, either directly or indirectly through the fossil fuels used and CO2 released in their production?
I strongly feel that "ethics" should become an overriding factor in where we are going as a species. But I don't agree that the place to start crying about ethics is some guy that finds problems in the product of a company with an insanely large cash reserve who's current "financial woes" are measured in "we are making a few billion dollars profit per quarter less then expected"
Apple can cry me a fucking river. It is on them to produce quality and secure products, instead of trying to squeeze every last cent of "cost reduction" out of every last element of their supply chain to the detriment of their user base. It isn't like they sell budget products, in almost all cases, Apple are the most expensive option for getting anything done.
Bug bounty programs are nothing new, and can be an effective avenue to increase the security and reliability of your products. It isn't like this guy is asking for anything outlandish, and he doesn't owe anything to anyone.
However the situation is that they do not and thus the absolute economic fact is that Apple considers such information utterly without value. Given these there are no obligations upon hard working security researchers and they are free to sell to someone who does find such information at the least trivially valuable. In fact it would be utterly unethical to do otherwise. A man is worthy of compensation for his labor provided that labor has value. If one party finds his labor of no value that is not a problem. If some other party, such as the NSA, finds it valuable then they have the right to sell it.
Obviously there are (unethical and disingenuous) trolls who will bring up scenarios where things are illegal. We are not considering those. Implicit is that this is an economic transaction. Which can consider ethics, such as the right to be paid for valuable labor. But does not extend to the right to commit crimes. The constraint here, obvious, is that we are discussing legal commercial transactions for legally performed work.
The other possibility is that this bug is so trivial e.g. the press enter a lot bug that you can hardly argue that a reward is warranted for their effort.
I would hope that Apple employs dozens of people at $100K or more a year to find bugs in macOS. Why wouldn't they pay comparable amounts to incentivize others to find bugs?
Failure to do so is a significant indication of their priorities.
Everyone has a right to be paid for their work provided that work is valuable to others and is not criminal. For independent contractors and free agents they have an intrinsic and fundamental right to sell their work to the highest bidder in a legal manner. To suggest otherwise is completely unethical, depraved, and inhuman.
