undefined | Better HN

0 pointsrobzyb9y ago0 comments

> Put another way - if you are not part of the invited group, and you submit an issue, but do so poorly, or without a clear Proof-of-Concept, and concise description, you can reasonably expect to hear no response from Apple, with no grounds to complain that they ignored you. But, at the same time, if you have a clear exploit, well documented, with impact and proof-of-concept, then their is still an avenue to submit it to Apple, but it's up to Apple to decide how they wish to prioritize.

Thanks, that does make a lot of sense.

My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.

0 comments

ghshephard9y ago

The actual effort is pretty minimal - 2-3 FTEs for a closed bounty program, plus maybe another 15-20 FTEs or so to assist with triage once it's opened up - total cost for Apple to set up a bug bounty is on the order of $5million/year staffing. Its more the trying to scale up so you don't end up annoying people by not being responsive - it takes time to hire the people and train them.

j / k navigate · click thread line to collapse

0 pointsrobzyb9y ago0 comments

Thanks, that does make a lot of sense.

My main exposure to bug bounty programs has been through the blog post of submitters, that don't give much insight to the resources/support that e.g. Apple would need to give.

0 comments

ghshephard9y ago

j / k navigate · click thread line to collapse