Quentin Hardy, writing for The New York Times:

Timothy D. Cook has found himself in a strange position. It looks like someone knows about an important flaw in Apple’s flagship product, and won’t tell its chief executive what it is.

That could be because Apple doesn’t pay outside hackers who find exploitable flaws in Apple software. Paying so-called “bug hunters” has become the norm at many tech companies, and the United States government does it too.

Interesting premise. Google, others, have a bug bounty program, where they pay 3rd parties who identify major bugs in their products. Apple does have a number of funnels to bring bug reports into their bug-tracking system. But they do not pay for those reports.

Does a third party company (rumored to be Cellebrite, FBI denies it is them) have a technique to crack an iPhone? Would a bug bounty have prevented this possibility?

My two cents: I certainly don’t think paying for bug reports would, by itself, make a difference to the stability of Apple’s software. There’s no shortage of officially reported bugs that are in Apple’s official bug queue.

The question is, would a hacker aware of a critical vulnerability be more likely to report it to Apple if there was a cash payout for them?