There's a case to be made for public shaming, sometimes. You're leaving it up to Apple to decide whether they want to pay you or not; they might deny the bounty for some reason, while still fixing the bug. Now you get nothing, in addition to having given Apple time to sweep the issue under the carpet and bury it under a change-log with language that heavily downplays the severity (e.g. "CVE -
A buffer overflow could cause an application window behind the lockscreen to retain focus".
Posting it on Twitter, however, draws attention to Apple's waning security practices and how such glaring holes manage to slip past their peer review. It sparks public outrage, and may serve as a wake-up call to the company.
Posting it on Twitter, however, draws attention to Apple's waning security practices and how such glaring holes manage to slip past their peer review. It sparks public outrage, and may serve as a wake-up call to the company.