This is 'just' a skill issue. Culturally, it's seems this is not a process they're very good at running. A bunch of similarities to their App Review process which isn't well regarded.
Fuck you, pay me applies.
Do you agree with this statement? If not, I think there's a contradiction. You are morally obliged to do the right thing even if there are entities who don't.
Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.
When people realise this is what they can expect from Apple they will just sell these exploits to intelligence agencies instead for who knows what purpose.
So congratulations Apple of fucking over not just this person but your entire customer base for years to come. Morons.
I presume some in the list did received bounties?
If the bug from OP falls under Apple's bug bounty and yet Apple refuses to pay, it's a very shitty behaviour and I hope they're forced to pay by the backlash and the researcher is made right. But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction. If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
[1] I'm mostly dealing with the people abusing the vulnerabilities, so that may influence my worldview.
> But if not, the reasonable response is to stop doing security research for free for Apple, not doing research with a goal of using it immorally due to a kneejerk reaction.
I'm sure lots of people will! But that won't necessarily stop folks from saying "I've discovered a vulnerability that would yield me an amount of money that would substantially improve my near-to-medium-term quality of life" and doing what's necessary to profit from that. Apple's program _necessarily_ inflates the amount of money a vulnerability sells for through immoral channels regardless of whether anyone is participating in it.
> If Apple stops their bug bounty program today this is still not a justification to look for vulnerabilities in their products and sell them on the black market.
This might be true for you, but that doesn't mean it's true for even a majority of other people.
How would you know? I'm not a security researcher and still know that there were always multiple avenues for selling vulns, and most weren't public.
So really, what makes you think you can make that statement with any kind of confidence?
I'm not really sure what else you're asking for. Nobody in the world except Apple Product Security itself knows why Apple Product Security is refusing to pay a bounty in this case. It makes no sense.
Satisfied now?