Not a great look for Apple and it’s Security Bounty program.
Conversation
Replying to
urg, my (very limited) experience with bug bounties is bad but in general the reporter always has the disadvantage. Don't get me wrong I think reporting bugs to get them fixed is awesome. Sucks!
PS: I think bug bounties need an automatic payout if they "accept" the report.
1
The main issue I have with Google's bug bounty program is that they often mark my reports as duplicates but I can't see information on the supposed original issue to confirm anything. In some cases, many months pass with no solution and it's possible they mistakenly closed it.
Once it's closed as a duplicate, you get no further updates on whether they're still working on it and preparing to ship a fix.
You don't exactly get great information otherwise, but if it's closed as a duplicate you have absolutely no more updates on what's happening.
1
We're generally reporting issues because we found them as part of developing GrapheneOS and need to ship a fix for it. If it's a problem in the OS rather than firmware or hardware, we can ship a fix ourselves. Doesn't make sense to wait months for them especially without comms.
1
Show replies
Yeah it's annoying to see them close your bug but then they don't keep you in the loop. At least what I reported got fixed after a few months...
1