I really don't understand this whole "whining over how much I got paid for my bug bounty" thing.
1. Nobody is asking you to find exploits in the systems of a company you don't work for. If you want to use your time that way, then fine, but understand that is your own time-management decision. Don't go complaining about how you feel "undervalued".
2. Companies are under no obligation to pay bounties and companies are certainly under no obligation to pay headline grabbing bounties.
1+2 = Stop whining and be greatful for someone paying you a five-figure (or greater) sum for something you didn't have to do.
Frankly, I also think this whole bug-bounty thing is a little bit dangerous. Sooner or later its going to end with various attempts at blackmail. It strikes me as a very thin line.
(For the avoidance of doubt, I'm speaking in general here. Not about Apple and not about this particular person.)
> Don't go complaining about how you feel "undervalued".
That's your interpretation, when I see that kind of complains, I don't see people that complains they feel undervalued, I see people complains that companies undervalue vulnerabilities, which is kind of a big deal.
I don't see anything in that article that make it feel like they believe that Apple undervalue vulnerabilities either, if anything it sound pretty positive for Apple. They answer quickly and fix the issues really really quickly (they said 4 hours for the most critical one).
The amounts may seems low, but they doesn't complains at all about it and even say that Apple may pay them more afterward, thus even if you personally believe theses amounts are low while reading it, may get out of that article believing that they will get paid enough afterward.
> 2. Companies are under no obligation to pay bounties and companies are certainly under no obligation to pay headline grabbing bounties.
Sure they aren't under any obligation, just like Nike is under no obligation to pay more than good wages to make their shoes oversea, thing is, their client may be interested in knowing theses facts and making a decision in relation to theses facts.
They found 55 vulnerabilities... that's 55 instances of negligence in Apple infrastructure. If you believe that's alright, then perfect, but don't complains that people try to make it known so that everyone can make an educated decision.
Personally, that article give me MORE confidence toward Apple.
> Sooner or later its going to end with various attempts at blackmail.
How does bug-bounties allow more blackmail? You can still blackmail with or without bug-bounties. If anything, I believe it reduce blackmail as you can go through the bug bounty program instead and get paid legally. I don't think many security researcher would put that they blackmailed Apple, but they will certainly say they got paid over their bug bounty program.
The whole point of the bounty is to incentivize disclosure to the software/hardware maker instead of using it nefariously or selling it to someone who will. Companies can avoid being "blackmailed" by offering fair prices for bounties. If finding several high severity bugs results in a paltry bounty, there is little incentive to disclose.
Though bug bounties are more than that. At the end of the day they have revealed vulnerabilities that would have impacted users such as us. IMO we should value these people more.
1. Nobody is asking you to find exploits in the systems of a company you don't work for. If you want to use your time that way, then fine, but understand that is your own time-management decision. Don't go complaining about how you feel "undervalued". 2. Companies are under no obligation to pay bounties and companies are certainly under no obligation to pay headline grabbing bounties.
1+2 = Stop whining and be greatful for someone paying you a five-figure (or greater) sum for something you didn't have to do.
Frankly, I also think this whole bug-bounty thing is a little bit dangerous. Sooner or later its going to end with various attempts at blackmail. It strikes me as a very thin line.
(For the avoidance of doubt, I'm speaking in general here. Not about Apple and not about this particular person.)