A bug bounty program, like any corporate program, should be about
achieving specific objectives. In some situations finding as many
bugs as possible makes sense, but not always, and certainly not
necessarily for a company like Apple.
Apple’s program sets clear objectives. Find exploitable bugs in
key areas they consider a priority. Since proving exploitability
with a repeatable proof of concept is far more labor intensive
than merely finding a vulnerability, pay the researchers a fair
value for their work. In the process, learn how to tune a bug
bounty program and derive the most value out of it. High quality
exploits discovered and engineered by researchers and developers
Apple believes have the skills and motivations they feel will most
help advance product security.
It’s the Apple way. Focus on quality, not quantity. Start
carefully, on their own schedule, and iterate over time. If you
know Apple, this is no different than how they release manage
nearly all of their products and services.
I was told the same thing.