Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There is no $100K coming.

Apple hopes you'll stay silent by dangling a hypothetical $100K (or whatever large amount) in the vague future. Once they've fixed the bug, they no longer have an incentive to pay you so they won't.




I think the behavior is very Russian.

Hacker: You have a vulnerability bounty program. Well here are three. Pay up.

Apple: [silence]

Hacker: [interprets this correctly as a fuck you.] Fuck me? Fuck you!

Me: Love it!


Haven't they done this in the past? "Oh thank you!" then "Actually we already knew about it and had a fix planned, so no bounty for you"?


Yes.

In some cases when they did pay, they paid significantly less than their published rates.


From the PoV of a security researcher - why even bother disclosing responsibly (moral obligations aside)?

Best case scenario: you don't get sued into oblivion, will be ghosted and gaslightened, receive pocket change arbitrary amount of time later.

Compared to that, i suppose the exploit brokers got their stuff together - after all, time is money - chances are someone else may stumble upon the same vulnerability...


If the payout is higher priority to you than the ethics of selling an exploit that governments around the world will end up using to hunt and capture or kill political dissidents, then you are of course free to sell it on the exploit market :) I prefer to sleep at night, though.


Just to clarify, since i suppose you read that wrong: i'm not a security researcher :)


Seems more likely it'll just take 3-4 years with months of silence at a time, based on the extremely few security Radars I've ever filed as a developer. 90 days to publication is certainly a valid choice, but it's also a personal choice that reduces a probable $100k payment in X years to a certain $0 payment today. I would be fine with that delay. OP is not, and that's fine too. I don't know whether that's an acceptable choice or not to anyone else, but Apple should be disclosing their communication practices a lot more clearly here. I discourage participation by anyone who isn't willing to wait a year between replies.


You’re claiming that they maliciously lie and refuse to payout because, based on OP, they screwed up on release notes and didn’t get it solved within the 90 day crunch period between WWDC and release.

It took so little evidence for you to decide it’s hopeless and declare as fact your prediction. Maybe you felt this way before this post? Otherwise I’m just not sure how to respond.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: