[robzyb]

That setup doesn't make any sense to me.

Either its an open program or a closed program.

A closed program that allows submissions from others is an open program.

What reasons what they have to do it this way? My first guess is to tick some checkbox.

[ghshephard]

It's pretty straightforward. Apple wants to start off slow, with a small group of people, and develop the quality of the program. By being explicitly closed, but implicitly open, they can focus their energy on the invited researchers, and ensure a high-level of support/response.

If they had explicitly said that it was an open program, they would have had to scale up their efforts to support the entire world of vulnerability researchers, or risk disappointing people for not responding quickly enough.

Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.

[robzyb]

> Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.

Thanks, that does make a lot of sense.

My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.

[ghshephard]

The actual effort is pretty minimal - 2-3 FTEs for a closed bounty program, plus maybe another 15-20 FTEs or so to assist with triage once it's opened up - total cost for Apple to set up a bug bounty is on the order of $5million/year staffing. Its more the trying to scale up so you don't end up annoying people by not being responsive - it takes time to hire the people and train them.

[coldtea]

>That setup doesn't make any sense to me. Either its an open program or a closed program.

Or it's something in between. Few things in life are or have to be binary -- that's a very CS mindset.

Apple wants to start it as closed, so they have full discretion as to what "others" they will accept (since they've already said they're not just accepting anybody).

This helps them build up their teams and infrastructure for it with the fewer, pre-selected, people, and gives them time to expand (or even evaluate if they need expanding to fully open anyway, perhaps a smaller/controlled list works well enough too).

At the same time, the "we might accept non-invited third parties" gives them the opportunity not to miss out on any important unexpected collaborators / bugs.