I disagree that's what they're saying, because of the "it could be possible, though it's very hard" framing. I think they're saying that if you understand how SEPOS works, you can trace data and secrets through it.

(In fact, this is probably a case where the "market value" of the bug greatly exceeds Apple's stated bounty value, because you could probably charge governments a nosebleed per-phone rate to extract secrets from locked phones.)

> I think they're saying that if you understand how SEPOS works, you can trace data and secrets through it.

Fair point actually, that was a bit careless for them to add.

Regarding SEP bounty: Apple offers $100,000 just for accessing the contents. Selling it as a capability would require additional low level exploits to actually interface with SEP in order to actually exploit it, so you could do per-phone deals if you have that type of vulnerability on hand, but I am not so sure many folks do. iBoot and friends (along with everything else pre-lockscreen) are reasonably secure these days.

The paragraph after your quote

>Decrypting the firmware itself does not equate to decrypting user data," xerub said. There's a lot of additional work that would need to go into exploiting decrypted firmware—in short it's probably not going to have a massive impact.

The author seems to be playing it up a bit, gotta get those clicks.

> Compared to the zero third-party market value for such a bug

Why would the third-party market value be zero? It seems tremendously valuable to many extremely well-resourced parties.

This class of vulnerability specifically cannot be used independently for anything useful. You need either a low-level firmware vulnerability or a pre-lockscreen vulnerability that you can escalate to kernel, in order to actually utilize such a SEP vuln. You are not wrong, well-resources parties may be able to do this, but for much less work the SEP vuln can fetch $100,000 and immense branding value as a researcher.