AirTrafficDevice: Ignored, Reluctantly Fixed, No CVE, No Bounty

I know there's some debate about the value of CVEs, but still. This is exactly what everyone said in the other thread when Apple said they were increasing bug bounties. Nobody cared because every number they quote is multiplied times zero.

Of all places to spend a trillion dollars in cash this is one area one would think they could invest a bit more. Unless the problem is a fundamental mismanagement of the department. Doesn't this fall under CFed ultimately...?

Ok, look. Apple certainly has issues. Software, OS, this Liquid Glass thing, AI.... and yes, they are a trillion $$ company by any standards. Their CEO should retire. I could go on and on..... Security? it's an issue, and if you wish to ague it should be their #1 priority I'd likely agree.

But this post here @MichaelTsai? Cherry picking! Nothing dishonest, but let me quote the first paragraph of the linked post:

> First, I’d like to state that I am incredibly grateful to all the people who have helped me in the past. However, October hasn’t been too kind to me. I was trying to get a job, but that fell through. I’m currently overdrawn, can’t afford the sadly expensive rent (and don’t have enough money to move to a cheaper location than Silicon Valley), I’m a month behind on my electricity bill, and I’ll lose all health insurance if I can’t pay October’s bill by October 30th. I’m also so overdrawn on my accounts that I can neither afford groceries nor can I afford the appointments needed to manage my disability.

Think it through. Read the entire post, it's quite good. Consider the tone. 21 bugs reported? Definitely see it. 3-4 fixed? Totally believe it. Let's work through more of this post:

> One (CVE-2025-43357) wasn’t eligible because I wasn’t the first to report it to Apple, which makes sense. I understand why the AuthKit bug wasn’t eligible for a bounty, even though it leaked fingerprintable information; it was more of a persistent annoyance to me and prevented me from discovering other privacy leaks in iOS due to the noise from AuthKit.

Why the complaint? Treasure hunters beware.

> Fortunately, a future release of iOS 26.x will address a privacy leak I reported, which qualifies for the lowest bounty. Unfortunately, Apple won’t pay the bounty until several weeks after the fix is publicly released, so I won’t be able to use it to cover my October bills.

I smell an issue here.... could it be.... wait for it:

> “Sandbox Profiles We would like to acknowledge Rosyna Keller of Totally Not Malicious Software for their assistance.” — Apple

> I hope you learned something from this post, and depending on the results of the GoFundMe, I’d like to write more posts of this type if enough people want them.

> Support Needed to Prevent Eviction and Maintain Health

That last was from her/his GoFund me page which I won't link to. Find it on the post.

(1) Why is someone who works for Totally Not Malicious Software a month behind on utility payments? Unable to move? Just asking.
(2) Why was this post on this site edited such that (IMHO) half of her/his post's tone completely lost?

I really get the security side of things. But all OS' have security issues. And yes, Apple's "bug bounty" opens them up for things like this. Bounty hunters?

@Dave As has been discussed on Mastodon recently, Rosyna has been unemployed for a while now. This situation is described more in the previous post. I haven’t edited this post at all; I just chose to focus on the bug bounty aspect due to our recent discussion here. I’m not sure what you’re trying to imply by “things like this.” The whole point of the bug bounty program is to make it worth experts’ time to hunt for privacy/security bugs and report them. I believe Rosyna has done that sincerely. This is a real person who many in the developer community know and respect and who really does need help.

As a data point, this definitely falls into the category of posts I appreciate finding here. Condensing and focusing the original post for this context seems appropriate and expected to me. Thanks.

"I smell an issue here..."

You fail to say what the issue is that you smell.

"Apple's "bug bounty" opens them up for things like this"

Things like what? People finding bugs for them? Incentivizing people to find bugs is the point of a bug bounty. It opens them up to the thing that they meant to open themselves up to?

Right out of the gate, I don't know Rosyna Keller, I've never Rosyna, and I'm pretty sure Rosyna doesn't -need- me to speak for her… but I'm going to speak up anyhow. Because in EVERY interaction I've ever had with Rosyna on Twitter/X, I've come away with the feeling Rosyna is just super valuable to the Apple community, with an outsized expertise in reverse engineering skills and an absolute genius level knack for digging into the bowels of Apple's operating systems. I don't know of the extent of Rosyna's medical issues, but I know that such things suck… and can bring the strongest to their weakest positions. In an ideal world, the Rosyna's wouldn't have to be resorting to GoFundMes. I also know Rosyna worked for Apple for a while, and I'd seen the posts that seemed to indicate some rather crappy actions on Apple's side on how her employment was handled; that's the extent of what I know, but from a few other former-Apple folks I know, the story didn't seem wrong or outlandish to me. Apple is a shitty employer nowadays.

Anyhow… I just think it is unfair the post that Dave made. It seems like a pretty strong 'shooting the messenger' by way of ad hominem rather than engaging on the substance. I'm not calling for censorship, I'm just suggesting that people feeding themselves by relying on their skillset should never be something we begrudge in this community, we need all the help we can get. Seriously.

As to Apple and their stupid security issues, I'm not even going to get into a Radar-filing measuring contest… I'm sure Rosyna has me beat hands down. Michael too. But what I -do- know is that over the past 15 years, Apple has ever so conveniently lied, closed cases, downplayed submissions… etc etc etc… for varietal reasons that were nonsensical, and this last bs of just not paying folks (while being a $4T company) is about as asinine, IMO, as it gets. I've never had anything as grand as a Bug Bounty, but I've worked too many hours to count on many issues that were 100% privacy and security issues that Apple REFUSED to ack, refused to fix in a timely manner, and treated me like a slave (by definition: an unpaid worker) on. Some are still existent. And every single one of them were bugs that should have been rectified, Apple just decided to punt and lie (or, at the very least, refuses to acknowledge existence of the issue, sometimes eventually fixing, sometimes not). And make no mistake, it is lying. Apple is a company that lies to cover up their mistakes, because their PR image has now been 'polished' to require it.

So I feel for Rosyna Keller, and all of the others that still put in the work like this. Because I've stopped; I haven't filed a case with Apple in at least 10 years, and refuse to… refuse to put in any more work. So bully for the good ones… Apple doesn't deserve them. But the community can't afford to lose them… or maybe we don't deserve them either. And at the very least, even if we don't (or can't afford to) contribute, there's not a lot of reason to question motives like that.

Sorry for the blather. And nothing personal meant. Just makes me a bit sadder to see.

I am not going to comment on the original post. But in general, it seems incredibly self-defeating for Apple to err on the side of stingy as opposed of erring on the side of generous when it comes to paying these bounties. Given their scale and the numbers of users… the ROI of people reporting security issues seems enormous. You’d think they would want to encourage the hell out of it.

There is absolutely no justification for this. Apple has become a bad company

In a great society, people’s health and disability would always be covered

In a good society, Apple would do it because she helps them, worked for them, and they can

In our society, she’s required to beg on a gofundme like thousands of Americans have to every year

When are we going to stop accepting this and demand change?

This is so disheartening.

Apple should do better by the people who help Apple make their systems safer.