This is such a great hack and a great write up. Thanks for posting it.
Shocked at how little Apple paid for it. I’m a CTO at a tiny company and we pay security researchers 10% of what you got for things 100x less severe than what you found.
thank you! always want to make this kind of this more accessible – especially since its so interesting.
I can only say the grey market becomes more enticing every time.
I personally feel like pure web bugs like this just generally get paid less (on the bounty market only) due to a strange kind of prejudice– people expect the big-ticket bugs to be binary or cryptography, and tend to dismiss XSS, even when the impact is extremely high, as in this bug.
2 comments
[ 3.7 ms ] story [ 14.7 ms ] threadShocked at how little Apple paid for it. I’m a CTO at a tiny company and we pay security researchers 10% of what you got for things 100x less severe than what you found.
I can only say the grey market becomes more enticing every time.
I personally feel like pure web bugs like this just generally get paid less (on the bounty market only) due to a strange kind of prejudice– people expect the big-ticket bugs to be binary or cryptography, and tend to dismiss XSS, even when the impact is extremely high, as in this bug.