Apple says kernel vulnerability is not eligible for bounty (opens in new tab)

Apple is often very stingy and greedy, but I don't think this is an example of this.

This is 'just' a skill issue. Culturally, it's seems this is not a process they're very good at running. A bunch of similarities to their App Review process which isn't well regarded.

I'm trying to imagine what the reasoning at Apple even is, like it's literal peanuts for them even if they paid all bug bounties in the world.

No need for dark web. Zerodium has a up to $200k bounty for privilege escalation vulns on iOS/Android.

Next time it's where it should go. Clearly Apple doesn't mind.

I pin the responsibility on Apple. They created a bounty system which incentivized people to build their livelihoods around finding these issues. They subsequently decided they wouldn't pay out those incentives essentially at random. If putting food on the table means getting paid for vulnerabilities, it's only rational to sell your work to whoever else is going to pay for it. Apple _created this market_ (and, you might argue, put the vulnerability into production). The only bad look here is Apple, imo.

No, this is simply cause and effect. I wager a number of security researchers don’t find any moral issue with selling exploits, but prefer to be paid a bounty by the big corp due to ease and cachet. If that’s no longer tenable, they will hold up their middle fingers and just keep doing what they do. You can tell them they’re acting immorally all day long, but you will only be wasting your breath.

It is a great look! We are forwarding-thinking people that realize security happens when companies have healthy bug bounty programs.

We live in a capitalist society that the companies at the very top absolutely love to exploit. They also love to exploit "but think of the <patients>,<the people>,<the children>" and so on.

Fuck you, pay me applies.

It was notable enough to be mentioned in their release notes for iOS 17.5, https://support.apple.com/en-gb/HT214101. I think that if they have to patch it, it's serious enough to reward the researcher for it. Like, it's not charity, it's not a thank you, it's an investment in their own platform's security. By not paying out they are only hurting themselves.

Bug bounties are a social solution to a social problem. In many ways, the actual money is less important than being seen to earnestly engage with the programme.

Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.

This is very much not normal and is absolutely a scandal.

What exactly is their fault?

They did Apple a solid, but not in accordance with the precise terms as laid out by Apple, so it's perfectly justified for Apple to take the researcher's work for nothing?

Apple doesn't give a shit about iOS?

Yes, it's literally the first item in the iOS 17.5 security release notes: https://support.apple.com/HT214101