You're misunderstanding the vulnerability. The bug is in gamed, the Game Center daemon, but it allows access to the entire CoreDuet database, which does on-device intelligence stuff. Duet essentially logs everything you do on your phone, which means that if you look at the database it'll contain logs for all your interactions, not just those with Game Center contacts.
You are correct. I did misunderstand that portion of it but that doesn't change the fact that Apple is willing to pay $100k for a bounty like that but no one else does and Apple's actions don't suggest at all that they won't pay out the bounty. If you've ever been part of a program like this, on the developer side, it's possible that they discovered a larger bug that this was a part of or that someone else had already reported this bug. Tracking down the origin of this and the tickets involved takes time and fixing the bug is always the priority. They haven't acknowledged that he's the originator of the report so his insistence that he be credited immediately is a big immature and premature.
There's nothing here that suggests Zerodium, or someone similar, would pay the same amount Apple is offering and there's nothing that suggests that Apple doesn't intend to pay this or credit him. That's all completely conjecture.
I have no idea if Zerodium would pay out that much for this bug (probably not) or anyone else (maybe?) but Apple in general has a poor track record of paying out bug bounties. They do sometimes, but it seems like it is far rarer than their website says they should.
>Apple in general has a poor track record of paying out bug bounties
What is this based on? My understanding is that Apple pays out 99% of the reported bug bounties and that's only because they include multiple submissions in the totals but not in the payouts (they only payout the first discovery or root discovery).
Those are my favorite recent examples, but specifically Apple has huge issues with turnaround time. They also don't communicate with or assist the researchers who found these exploits either, which makes things particularly frustrating for people who ultimately both want to secure Apple's systems. Their overt hostility, history of poor communication, and frankly pathetic bug bounties are all contributors to how people perceive Apple's relationship with security experts.
