We're finally seeing a natural experiment validation of the Market Share Theory of Malware. That is, Windows has a huge, almost unbelievable, share of malware because Windows also has the largest by far market share.

Despite multiple security update credits from Apple (and perhaps at least one more forthcoming), I've received exactly $0 in bounties from Apple. The reasons:

1. Some reports were prior to the existence of the security bounty program.

2. Sometimes I was not the first person to report a vulnerability, and the program pays only the first reporter, even when there are multiple reports prior to the fix.

3. Apple has a tendency just to sit on reports without addressing them, sometimes for years, and I finally get sick of that crap and publish my findings, which of course makes me ineligible for a bounty. This gives me the feeling that the main purpose of the program is to keep people quiet for a long as possible, with a (possible, eventual) payment dangled as incentive for your silence.

Ultimately I gave up completely on the security bounty program and decided not to bother even to look for vulnerabilities anymore.

My feeling has been for a long time that macOS TCC is security theater, a joke, that causes great difficulty for honest developers but otherwise does not significantly impede malware. Moreover, TCC is simply a bad fit for the Mac, tacked onto an OS not designed for TCC, long after the fact. The number of TCC bypasses is practically endless, as proven by practically endless number of fixes listed in Apple's security update release notes. I can imagine that patient (willing to wait on Apple) Mac security researchers like Csaba Fitzl have made a fortune on TCC bypasses, and you can see his name countless times in the aforementioned release notes.