The weird thing to me is that the NYT article says that she tried "faxing Apple’s security team." Having some familiarity with the team and the process of reporting security vulnerabilities to them, I do not recall them ever claiming to have a fax machine. The idea of Apple asking you to fax in a bug report is ludicrous.
Also, it’s amazing to see she did so much to try to notify them. Yes, not being technical, she couldn’t figure out that security team email, but I wonder why all of the Apple people who were getting signals from her didn’t forward it to that team...
Overnighting is similar in that the carrier should provide confirmation that a package has been successfully delivered.
Certified mail is probably a better "someone received it" option, if that is the desired requirement.
Superstition leads to lawyers doing again a thing that worked previously without knowing why it worked or having any understanding that it's actually necessary for any reason. Most of the weird forms of words in legal contracts are a result of this, the court probably doesn't care whether you demand someone "Cease and desist" or just "Stop fucking doing that" but who wants to risk that they do care? Let's just write "Cease and desist" the same as we did on the previous document...
So, she uses Fax because her predecessors used Fax, not because there's an actual "something legal-binding about faxes". Just superstition.
There are superstitious people in every profession, that's what "sync; sync; sync" is all about - it's just that lawyering seems especially prone.
Do you really think a consumer would think to do that? Also you have to consider the number of bugs that are incorrectly flagged as being security.
Even then, the modern day incentives around vulnerability disclosure are not helping. Because security bugs are awarded bounties based on their severity, every single reporter has a financial incentive to hype and inflate their findings. "URGENT" this, "CRITICAL" that, "ACCOUNT TAKEOVER" due to already compromised computer/device, you name it.
Teams without sufficient resources will spend a lot of time dealing with the maladjusted severities. And yes, I believe the "mal-" prefix is warranted. If your report does go through with inflated severity, you stand to make more money.
I am starting to think that a reasonably run bounty programme should state up front that inflated severities in bug reports will reduce their payouts.