You could easily get more for selling a zero-day likely this than reporting it to Apple. If you combined the risk this is being turned on is reported back to Apple or remotely detectable, combined with a zero day, it would be a goldmine; cover this and other issues in my comments on the topic:
I like money but something tells me targets of such attacks might end up dead, so it’s more about ethical considerations rather than who pays better. The bounty won’t sway everyone but $2m would sway more people than $1m which would be more than $10k
Zero-day buyers are going to have a hard time topping that.