> Next time I hope he sells his next vuln to the highest bidder
And thereby accomplishing what, exactly? There is still merit, albeit not from a material wealth standpoint, for doing the right thing for the right reasons.
I agree somewhat, the users which include me get caught in the crossfire if someone releases a zero day out in the wild, but I also think there needs to be a negative feedback to these tech giants that expect work for free.
But in the grand scheme of things, does it even punish the tech giants? They have so many claws in a users life, and in the case of apple, your only other choice is google or a bunch of shady oems.
At the end of the day the only people who pay for it are users themselves, their data is comprised and irreversibly out there
Unfortunately exercising consumer choice works a lot better in a healthy free market than it does in one controlled by an oligopoly. I totally agree that people should try to avoid buying from companies that do immoral things, but it can be quite hard in a consolidated market.
You can rely on the vast majority of people to do the right thing when it's in their best interests.
You can likely rely on a good majority of people to do the right thing when it isn't for or against their interests in any substantial way.
I'm not sure the amount of people that will do the right thing when it's not in their best interests by some small but noticeable amount.
I'm also not sure the amount of people that will do the right thing when it's vastly against their best interests, but it's bound to be far less that the prior group, and I suspect it's way below a majority.
The point isn't that these people aren't doing the "right thing", it's that these programs are designed to align doing the right thing with the best interests of the researchers, so noting that we might get more results that are not in the best interests of society at large or the company in question if they don't hold up to what they agreed to is not only a valid observation, it's the likely outcome if we're to expect these programs exist for a reason.
To put this in perspective, say you find a suitcase with a million dollars in it. You can turn it in, or you can keep it for yourself. If there's no real expectation you'll get anything if you turn it in, how does the reasoning go in your head? What if you know you'll get 10% for finding it and turning it in? What if you live in abject poverty? What if you have $60k worth of medical bills for a family member to pay off?
What suggests that any of this is "free work for a trillion dollar corporation"? Apple hasn't acknowledged that this person discovered this bug yet. They've only acknowledged that it existed and that they were going to patch it in the future. Crediting someone for a bug bounty isn't as easy as you all are making it out to be.
Robbing a bank is immoral, selling information about how a piece of software works, in my humble opinion, is not. Or if it is, then it's not even close to the level of "wrong" that is robbing a bank.
Also the software to subvert security on mobile devices, build firewalls on a national level, and inspect every internet packet for disloyal statements. All that is packaged and sold to our authoritarian allies with the full approval of the government the majority of people support.
Selling a zero day would probably fall under a weapons clause.
If you sell a knife, and it's used for a stabbing, are you culpable? Thousands of people buy knives every day, and most of them don't stab anyone. So unless there was good reason to suspect something, we would say no.
Most zerodays are probably not bought by china to spy on dissidents, they are more like knives. On the contrary, when we sell bombs to Saudis we can be 95% sure they will be used in Yemen.
Zero-days, unlike knives, are not dual-use instruments. The only people buying those zero-days are incorporating them into surveillance and monitoring systems. Literally, how else could an exploit be monetized? Stealing crypto-wallets?
You're also either a victim or an oppressor. No wrong can be done by anyone in the former group, and no good by the latter. Such ideas of victimization do nothing but justify the use of power and engender intergroup conflict.
Except that as this thread demonstrates, there is no realistic possibility of this researcher actually making more $$$ in real life by trying to find another bidder.
Not for this exploit. They pay more for code-execution exploits. No one is going to pay the sums you guys are thinking they will over a bug that gives you someone's GameCenter contacts. It's not a trivial bug but it's also not a very valuable one.
And thereby accomplishing what, exactly? There is still merit, albeit not from a material wealth standpoint, for doing the right thing for the right reasons.