Yeah I love the idea of bug bounties, however there is this issue created when the provider cannot offer the most competitive price for bounties. It's no secret that nation states will pay more than Apple will for vulnerabilities.
There's no reason Apple couldn't pay more than nation-states for bug bounties; They have a ridiculous amount of money after all.
In Crypto there exists a service called ImmuneFi, it's essentially a arbitrator between hackers and services offering bug bounties that provides an impartial third party ruling on the payout.
They recently paid out a $10 million bug bounty. That really needs to move into Web2.
> Immunefi has saved over $25 billion in users’ funds and has paid out $60 million in total bounties. The platform now supports 300 projects across multiple crypto sectors, and collectively offers $135 million in bounties to whitehat hackers. Immunefi has also facilitated the largest bug bounty payments in the history of software, including $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol, and $6 million for a vulnerability discovered in Aurora, a bridge and a scaling solution for Ethereum.
That would just create a bidding war and wouldn't stop the arms race at all.
Also, once the rewards increase past a certain point, security researchers would have no reason to work for apple, since one big hit would mean set for life.
Security researchers on ImmuneFi can be set for life by submitting a large bug bounty today. But that's extremely rare, and you don't see them lining up to leave apple.
