On vendor disclosure timelines, bounty programme incentive misalignment, and the psychological contract

Published two Apple disclosures today (links below). Both confirmed by Apple, both scheduled for “Fall 2026” — six months from filing. I also wrote up the reasoning behind publishing ahead of that window, because I think the reasoning should be on the record. The essay covers: – The implicit contract between researchers and vendors, and what “honouring it in letter but not in spirit” looks like in practice – What “Fall 2026” actually means for a one-line bounds check fix – The 90-day norm, why it exists, and what Project Zero’s own data shows about fix times under deadline vs. indefinite windows – The structural incentive misalignment when a bounty is “pending review” for months — that’s not a bounty programme, that’s a hush arrangement with a variable payout – The specific calculus behind each disclosure: both bugs confirmed, both locally/conditionally exploitable only, mitigations available now, fix complexity low It’s not a rant. It’s a record. https://stuart-thomas.com/vendor-ethics/ — The two disclosures: – PING-01 (BSS write): https://stuart-thomas.com/research/ping-sweepmax-bss/ – SMB-01A (64 GiB amplification): https://stuart-thomas.com/research/smbd-copychunk-dos/ submitted by /u/Prize-Unlucky [link] [comments]Technical Information Security Content & DiscussionRead More