AirTrafficDevice: Ignored, Reluctantly Fixed, No CVE, No Bounty

I know there's some debate about the value of CVEs, but still. This is exactly what everyone said in the other thread when Apple said they were increasing bug bounties. Nobody cared because every number they quote is multiplied times zero.

Of all places to spend a trillion dollars in cash this is one area one would think they could invest a bit more. Unless the problem is a fundamental mismanagement of the department. Doesn't this fall under CFed ultimately...?

Ok, look. Apple certainly has issues. Software, OS, this Liquid Glass thing, AI.... and yes, they are a trillion $$ company by any standards. Their CEO should retire. I could go on and on..... Security? it's an issue, and if you wish to ague it should be their #1 priority I'd likely agree.

But this post here @MichaelTsai? Cherry picking! Nothing dishonest, but let me quote the first paragraph of the linked post:

> First, I’d like to state that I am incredibly grateful to all the people who have helped me in the past. However, October hasn’t been too kind to me. I was trying to get a job, but that fell through. I’m currently overdrawn, can’t afford the sadly expensive rent (and don’t have enough money to move to a cheaper location than Silicon Valley), I’m a month behind on my electricity bill, and I’ll lose all health insurance if I can’t pay October’s bill by October 30th. I’m also so overdrawn on my accounts that I can neither afford groceries nor can I afford the appointments needed to manage my disability.

Think it through. Read the entire post, it's quite good. Consider the tone. 21 bugs reported? Definitely see it. 3-4 fixed? Totally believe it. Let's work through more of this post:

> One (CVE-2025-43357) wasn’t eligible because I wasn’t the first to report it to Apple, which makes sense. I understand why the AuthKit bug wasn’t eligible for a bounty, even though it leaked fingerprintable information; it was more of a persistent annoyance to me and prevented me from discovering other privacy leaks in iOS due to the noise from AuthKit.

Why the complaint? Treasure hunters beware.

> Fortunately, a future release of iOS 26.x will address a privacy leak I reported, which qualifies for the lowest bounty. Unfortunately, Apple won’t pay the bounty until several weeks after the fix is publicly released, so I won’t be able to use it to cover my October bills.

I smell an issue here.... could it be.... wait for it:

> “Sandbox Profiles We would like to acknowledge Rosyna Keller of Totally Not Malicious Software for their assistance.” — Apple

> I hope you learned something from this post, and depending on the results of the GoFundMe, I’d like to write more posts of this type if enough people want them.

> Support Needed to Prevent Eviction and Maintain Health

That last was from her/his GoFund me page which I won't link to. Find it on the post.

(1) Why is someone who works for Totally Not Malicious Software a month behind on utility payments? Unable to move? Just asking.
(2) Why was this post on this site edited such that (IMHO) half of her/his post's tone completely lost?

I really get the security side of things. But all OS' have security issues. And yes, Apple's "bug bounty" opens them up for things like this. Bounty hunters?

@Dave As has been discussed on Mastodon recently, Rosyna has been unemployed for a while now. This situation is described more in the previous post. I haven’t edited this post at all; I just chose to focus on the bug bounty aspect due to our recent discussion here. I’m not sure what you’re trying to imply by “things like this.” The whole point of the bug bounty program is to make it worth experts’ time to hunt for privacy/security bugs and report them. I believe Rosyna has done that sincerely. This is a real person who many in the developer community know and respect and who really does need help.