Press is a perfect example of incentive alignment in these programs, since not paying a bounty a researcher believes is deserved is practically a guarantee of an uncharitable blog post.
Which process ensures that the company should actually care in the slightest about an uncharitable blog post or two, especially when its motivations are opaque enough that the lack of payment might be chalked up to "there's a good reason for that"?
If the cost of an uncharitable blog post is less than the cost of paying out the bounty, then a company would still be incentivized to find as many reasons to reject a payout as possible, as long as future reporters still believe they have a good chance of receiving a payout (e.g., if they believe they can sideskirt any rejection reasons).
The cost of an uncharitable blog post is massively more than the price of a bounty, like, it's not even close. The cost of an uncharitable blog post is potentially unbounded (as in: not many people in a large tech company would know how to put a ceiling on the cost), and the cost of a bounty, even a high one, is more or less chump change.
Another in my long-running dramatic series "businesses pay spectacularly more for determinism and predictability than nerds like us account for".
> The cost of an uncharitable blog post is potentially unbounded (as in: not many people in a large tech company would know how to put a ceiling on the cost), and the cost of a bounty, even a high one, is more or less chump change.
Look up "apple bug bounty" on Google, or any other search engine of your choice, and you'll find absolutely no shortage of people complaining of issues with the program. If these complaints each cost Apple a bajillion dollars, then why haven't they shut down their program already?
Or, if almost all of those complaints are just from the reporter being dumb, then how are potential future reporters (who would care about the company's prospenity to pay) supposed to find actual meaningful complaints among the noise?
I don't think that sporadic blog posts are nearly as powerful as you're making them out to me: my intuition tells me that the company can usually ignore them safely, short of them making front-page news.
Look, I believe you, but people complain about all these bounty programs, some of which I know to have been extraordinarily well managed, and usually when you get to the bottom of those complaints it comes down to a misapprehension the researchers have about what the bounty program is doing and what its internal constraints are. I acknowledge that another possibility is that the bounty program itself isn't performing well; that is a possibility (I have no actual knowledge about this particular case!)
The only thing here I'm going to push back on, and forcefully, is the idea that bounty programs have an incentive to stiff researchers. They do not. I cannot emphasize enough how "not real money" these sums are. Bounty program operators, the people staffing these programs, don't get measured on how few bounties they pay out.
My point is that while the sums might be "not real money", the costs of stiffing researchers is even moreso "not real money", so that it makes sense on the margin to do it, whenever the situation isn't incredibly clear-cut.
After all, it's not like Apple goes around handing out free iPhones on the street, even though a few thousand units are similarly "not real money". Businesses care about small effects on the margin.
Which part does not follow? Even supposing that the members of Apple's bug bounty team are all well-meaning, but that the program itself is chronically mismanaged, one might conjecture that Apple is disincentivized from investing in making the program better-managed.
I'm not deriving this axiomatically. The bounty programs I'm familiar with incentivize their teams to grant more bounties. I don't have recent specific knowledge of how Apple's program works. Obviously, Apple is more fussy than other programs! They want very specific things. But a just-so story that posits Apple's bounty incentives are just wildly different than the rest of the industry isn't going to get you and I anywhere. It's fine that we disagree. I do not believe Apple ruthlessly denies bounty payouts, and further think that claims they do are pretty wild.
(I have no opinions in either direction about whether Apple is denying bounty payments because of difficulties operating the program!)
Perhaps I've been somewhat too harsh: I don't see any particular 'ruthlessness' in Apple's actions. But I do think that its program, as well as many other bug bounty programs, can easily end up more byzantine in their rules than they'd otherwise be, since there's not much incentive counteracting such fussiness.
After all, one might easily imagine a forgiving rule of "we'll pay some amount of money (whether large or small) for any security issue we actively fix based on the information in the report", and yet Apple seemingly chooses to be more fussy than that in this case, unless they're just being extremely slow. I just don't see any way to square such apparent fussiness with your experience of bug bounty programs leaning toward paying out more.
> I'm going to push back on, and forcefully, is the idea that bounty programs have an incentive to stiff researchers. They do not
I replied upstream as well, but let me push back here as well. They can actually, if the bounty program is being run for the wrong reasons, which can happen - I know anecdotes aren't data, but I've seen one case first-hand.
If a bounty program is treated as a marketing project and/or an "executive value" project then they can and will be managed as a cost center and those costs will be deliberately minimized. Bang for buck. Now obviously this is perverse but if making your manager happy isn't an incentive then I don't know what to tell you.
I think both the point you’re making and the idea you’re arguing against ascribe a level of agency and rationality to large organizations that doesn’t reflect their reality. In that way they’re both “not even wrong.”
But then I can see your point to a degree at least.
I want to say again that I'm not making this point by way of a first-principles derivation of what's going on. I know for a fact that the norm in large bounty programs is to incentivize payouts. I don't know that for sure about Apple's program, but it seems extraordinarily unlikely that they depart from this norm, given the care and ceremony with which they rolled this out (much later than other big tech firms).
None of this is to say that the program is managed perfectly, as has been pointed out elsewhere on the thread. I'm not qualified to have a take on that question.
