Is this normal? I’m only ancillary to security stuff like this but without details of the exploit it’s hard to say whether or not this is scandalous or not. It’s possible Apple made a mistake here, but is that a more likely scenario than the vuln just not being exploitable enough to warrant a bounty?
It was notable enough to be mentioned in their release notes for iOS 17.5, https://support.apple.com/en-gb/HT214101. I think that if they have to patch it, it's serious enough to reward the researcher for it. Like, it's not charity, it's not a thank you, it's an investment in their own platform's security. By not paying out they are only hurting themselves.
Bug bounties are a social solution to a social problem. In many ways, the actual money is less important than being seen to earnestly engage with the programme.
Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.
