You're missing mine, I'm afraid: I've made no claim about anyone having to do anything. Indeed, if I was in Charlie's shoes, I wouldn't be working on spec.
Let me put it another way.
There are two markets for exploits: the legitimate one, and the criminal one.
Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.
An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.
In the first case, you're engaging in blackmail.
In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.
Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.
No, but that's not his point. (I think) he says there's something wrong with him basing his price on what criminals would pay (regardless of whether he would actually sell it to criminals).
I don't know. If he can't ask whatever he wants for it and Apple can't pay whatever they want for it, there's no simple solution.
I think we've latched too much on the pricing specifics. I don't think Miller cares; I think he's just trying to illustrate that there is in fact a market value for this work, and that vendors and customers appear to expect to get the work product for free.
Let me put it another way.
There are two markets for exploits: the legitimate one, and the criminal one.
Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.
An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.
In the first case, you're engaging in blackmail.
In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.
Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.