If the bug from OP falls under Apple's bug bounty and yet Apple refuses to pay, it's a very shitty behaviour and I hope they're forced to pay by the backlash and the researcher is made right. But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction. If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
[1] I'm mostly dealing with the people abusing the vulnerabilities, so that may influence my worldview.
> But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction.
I'm sure lots of people will! But that won't necessarily stop folks from saying "I've discovered a vulnerability that would yield me an amount of money that would substantially improve my near-to-medium-term quality of life" and doing what's necessary to profit from that. Apple's program _necessarily_ inflates the amount of money a vulnerability sells for through immoral channels regardless of whether anyone is participating in it.
> If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
This might be true for you, but that doesn't mean it's true for even a majority of other people.
How would you know? I'm not a security researcher and still know that there were always multiple avenues for selling vulns, and most weren't public.
So really, what makes you think you can make that statement with any kind of confidence?
