It's pretty straightforward. Apple wants to start off slow, with a small group of people, and develop the quality of the program. By being explicitly closed, but implicitly open, they can focus their energy on the invited researchers, and ensure a high-level of support/response.
If they had explicitly said that it was an open program, they would have had to scale up their efforts to support the entire world of vulnerability researchers, or risk disappointing people for not responding quickly enough.
Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.
> Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.
Thanks, that does make a lot of sense.
My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.
The actual effort is pretty minimal - 2-3 FTEs for a closed bounty program, plus maybe another 15-20 FTEs or so to assist with triage once it's opened up - total cost for Apple to set up a bug bounty is on the order of $5million/year staffing. Its more the trying to scale up so you don't end up annoying people by not being responsive - it takes time to hire the people and train them.
>That setup doesn't make any sense to me. Either its an open program or a closed program.
Or it's something in between. Few things in life are or have to be binary -- that's a very CS mindset.
Apple wants to start it as closed, so they have full discretion as to what "others" they will accept (since they've already said they're not just accepting anybody).
This helps them build up their teams and infrastructure for it with the fewer, pre-selected, people, and gives them time to expand (or even evaluate if they need expanding to fully open anyway, perhaps a smaller/controlled list works well enough too).
At the same time, the "we might accept non-invited third parties" gives them the opportunity not to miss out on any important unexpected collaborators / bugs.
The Reuters report has some details about why they limited it:
>Apple said it decided to limit the scope of the program at the advice of other companies that have previously launched bounty programs.
Those companies said that if they were to do it again, they would start by inviting a small list of researchers to join, then gradually open it up over time, according to Apple.
Security analyst Rich Mogull said that limiting participation would save Apple from dealing with a deluge of "low-value" bug reports.
"Fully open programs can definitely take a lot of resources to manage," he said.
If it was a salaried job you would have to sign a Non-Disclosure, assign all intellectual property rights to Apple, ensure that you have good work attendance, be responsive to what your manager tells you to do, etc, etc...
I'm sure there are a lot of security researchers who would like to dabble in dozens of companies products, without being told what they had to do every day, yet still be compensated.
(ie, https://twitter.com/i0n1c/status/761349794510036992)