Ask HN: How do I make Apple pay up?

Apple is notoriously stingy with bug bounties.¹ They also like to say “going to the press doesn’t help” when time and again it’s been shown they only react to bad press.

If the issue you found is “expected behaviour”, then there’s no harm in sharing it. Do it publicly while mentioning your timeline and their response. Let everyone else decide if it’s truly an issue or not. If they end up changing it, it becomes proof you found a legitimate problem. That doesn’t guarantee they’ll pay up, but they’ll get even more bad press if they don’t.

Apple has already indicated they don’t intend to pay you. By keeping the problem a secret you have no recourse and will continue not being paid. Unless you know someone at Apple which could make it happen, anything other than sharing the bug is a waste of your time and presumably harmful for users who won’t know of the problem and thus can’t protect against it.

¹ https://www.macrumors.com/2021/09/09/security-researchers-ap...

Talk to a few of your trusted peers about the effect (not the mechanics) of the vulnerability.

As in, "If you hand me your iPhone, I can unlock it without knowing your password." Don't tell them how, just describe in 1 sentence what access you need, and what you're able to do. If your trusted peers (not drinking buddies who do other jobs) are impressed, then widen the circle a little - tell strangers (like HN readers) that same thing, and ask if it's a vulnerability.

It'll just help you have a sanity check about whether or not it's actually a vulnerability that Apple needs to fix, or perhaps it's someone else's, or not really that big of a deal.