Not a great look for Apple and it’s Security Bounty program.
Conversation
Replying to
urg, my (very limited) experience with bug bounties is bad but in general the reporter always has the disadvantage. Don't get me wrong I think reporting bugs to get them fixed is awesome. Sucks!
PS: I think bug bounties need an automatic payout if they "accept" the report.
1
The main issue I have with Google's bug bounty program is that they often mark my reports as duplicates but I can't see information on the supposed original issue to confirm anything. In some cases, many months pass with no solution and it's possible they mistakenly closed it.
2
Once it's closed as a duplicate, you get no further updates on whether they're still working on it and preparing to ship a fix.
You don't exactly get great information otherwise, but if it's closed as a duplicate you have absolutely no more updates on what's happening.
1
We're generally reporting issues because we found them as part of developing GrapheneOS and need to ship a fix for it. If it's a problem in the OS rather than firmware or hardware, we can ship a fix ourselves. Doesn't make sense to wait months for them especially without comms.
1
Lately, most of what I file gets closed as a duplicate and it definitely discourages investing further time in it. If we can just fix the issue ourselves, then we'll increasingly just do that and then perhaps find time to tell them about it later but it's a pretty low priority.
Main incentive to bother reporting anything we can fix ourselves is not the bug bounty but rather offloading the work of fixing issues to them. If it takes them 120+ days to fix the kinds of issues we report, then that's not a particularly good way of getting anything done.