Neat, $17,500 is pretty good, I’m so used to these blog posts being for peanuts, or where companies fix the vulnerability but don’t pay out at all. Apple’s gotten better about this since 2019.
I read a comment under the story about the recent YouTube vulnerability where one could unmask the related Google account and its owner using the standard YouTube API (something similar to that anyway), and they explained a lot of lesser-known nuances in establishing values for bounties like these, and it helped explain a lot (not all) of the reasons for what might seem like low-ball/high-ball valuations on the surface. If I can find their comment I’ll post back, it was really insightful. That said, there are also plenty of examples of people just getting shafted.
Which was Vupen too before that. One company name is unimportant because multiple shady groups and individuals are out there buying and selling 0daya. This is definitely the case because state actors don't develop 100% them themselves and must get them from somewhere. It's a small but nonzero market of expediency.
Except that's not true because rendering a target's device unusable temporarily and/or effectively permanently is a useful payload regardless of what you think.
A useful payload for whom? Point me to someone who is willing to pay for such a bug and I'll believe you. Zerodium's old payout scale didn't even list denial of service, and to my knowledge no other serious vendor does either. If I can list a bunch of people who don't care about this surely you can find one who does.
