Nobody is buying anything on "Zerodium".

I wasn't aware they are gone. It's not my game, replace with whatever shady exploit trader/market out there.

I do not in fact think you would make a lot more than $4000, or even $4000 in the first place, for an Apple XSS bug, unless it was extraordinarily situationally powerful (for instance, a first-stage for a clean, direct RCE). Bounty prices have nothing at all to do with the worst-case damage a motivated actor could cause with a vulnerability.

▲

jijijijij 18 hours ago | parent [-]

https://security.apple.com/bounty/categories/

The lowest tier is $5k. XSS up to $40k. I think we're talking exfiltration of dev credentials...

	▲	tptacek 17 hours ago \| parent [-]
		Nice, I hadn't seen that. Well, there you go: the absolute most you're going to make for the absolute worst-case XSS bug at the largest software firm in the world.