There is no $100K coming.

Apple hopes you'll stay silent by dangling a hypothetical $100K (or whatever large amount) in the vague future. Once they've fixed the bug, they no longer have an incentive to pay you so they won't.

I think the behavior is very Russian.

Hacker: You have a vulnerability bounty program. Well here are three. Pay up.

Apple: [silence]

Hacker: [interprets this correctly as a fuck you.] Fuck me? Fuck you!

Me: Love it!

Haven't they done this in the past? "Oh thank you!" then "Actually we already knew about it and had a fix planned, so no bounty for you"?

Yes.

In some cases when they did pay, they paid significantly less than their published rates.

From the PoV of a security researcher - why even bother disclosing responsibly (moral obligations aside)?

Best case scenario: you don't get sued into oblivion, will be ghosted and gaslightened, receive pocket change arbitrary amount of time later.

Compared to that, i suppose the exploit brokers got their stuff together - after all, time is money - chances are someone else may stumble upon the same vulnerability...

If the payout is higher priority to you than the ethics of selling an exploit that governments around the world will end up using to hunt and capture or kill political dissidents, then you are of course free to sell it on the exploit market :) I prefer to sleep at night, though.

Just to clarify, since i suppose you read that wrong: i'm not a security researcher :)

Seems more likely it'll just take 3-4 years with months of silence at a time, based on the extremely few security Radars I've ever filed as a developer. 90 days to publication is certainly a valid choice, but it's also a personal choice that reduces a probable $100k payment in X years to a certain $0 payment today. I would be fine with that delay. OP is not, and that's fine too. I don't know whether that's an acceptable choice or not to anyone else, but Apple should be disclosing their communication practices a lot more clearly here. I discourage participation by anyone who isn't willing to wait a year between replies.

You’re claiming that they maliciously lie and refuse to payout because, based on OP, they screwed up on release notes and didn’t get it solved within the 90 day crunch period between WWDC and release.

It took so little evidence for you to decide it’s hopeless and declare as fact your prediction. Maybe you felt this way before this post? Otherwise I’m just not sure how to respond.

Given that (according to the author) they've already lied at least twice ("processing error, will be in next release")...

... what gives you such high hopes that he will ever get his 100K?

This fellow has a lot more to gain than $100k by the popularity and prestige he'll gather from publishing this. Especially considering that Apple will never change their ways until they're publicly shamed, the long term outcome of shaming them is worth more than $100k if they actually change the policies to take security researchers and the bug bounty seriously

I would not consider Apple particularly concerned about shame in regard to bounty program delays in communication and publication, no matter how much people try.

I agree, but the shame of getting 0-day exploits published on the web by someone who doesn't work at Apple might shame them enough to change.

Don’t count someone else’s money.

Sue Apple and lose another 100k.