> Explain I'm naive: why would Apple's bug bounty program be so poorly run?
Hubris.
Apple's culture is still fundamentally the same from the day they ran ads saying "Macs don't get viruses" to today. They used a misleading ad copy to convince people they could just buy a Mac and be safe, not needing to do anything else... ignoring that Macs still got malware in the form of trojans, botnets and such... and encouraging a culture of ignorance that persists to this day. "It just works." etc.
So now their primary user base is majorly people who have zero safe online habits.
And that sort of mentality feeds back into the culture of the company... "Oh, we're not Windows, we don't get viruses. We don't get viruses because our security is good. Our security is good, obviously, because we don't get viruses." It, in effect, is a feedback loop of complacency and hubris. (A prime example of this is how Macs within the Cupertino campus were infected with the Flashback botnet.)
Since their culture was that of security by obscurity (unlike, say, Google's explicit design in keeping Chrome sandboxed and containered for sites), closed source and again, hubris... it's coming back to bite Apple in the ass despite their ongoing "We don't get viruses" style smugness. If it's not about Macs not getting viruses, it's about how Apple values your privacy (implying others explicitly don't) and like with everything else, it's repeated often enough to where the kool aid from within becomes the truth.
Apple's culture is that of smugness, ignorance and yep... hubris. Why should they have a serious, respectable bug bounty program if they've been busy telling themselves that they don't simply have these kinds of security problems that they've bragged about never having?
Hubris.
Apple's culture is still fundamentally the same from the day they ran ads saying "Macs don't get viruses" to today. They used a misleading ad copy to convince people they could just buy a Mac and be safe, not needing to do anything else... ignoring that Macs still got malware in the form of trojans, botnets and such... and encouraging a culture of ignorance that persists to this day. "It just works." etc.
So now their primary user base is majorly people who have zero safe online habits.
And that sort of mentality feeds back into the culture of the company... "Oh, we're not Windows, we don't get viruses. We don't get viruses because our security is good. Our security is good, obviously, because we don't get viruses." It, in effect, is a feedback loop of complacency and hubris. (A prime example of this is how Macs within the Cupertino campus were infected with the Flashback botnet.)
Since their culture was that of security by obscurity (unlike, say, Google's explicit design in keeping Chrome sandboxed and containered for sites), closed source and again, hubris... it's coming back to bite Apple in the ass despite their ongoing "We don't get viruses" style smugness. If it's not about Macs not getting viruses, it's about how Apple values your privacy (implying others explicitly don't) and like with everything else, it's repeated often enough to where the kool aid from within becomes the truth.
Apple's culture is that of smugness, ignorance and yep... hubris. Why should they have a serious, respectable bug bounty program if they've been busy telling themselves that they don't simply have these kinds of security problems that they've bragged about never having?