> If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party. If you didn’t use the SRD for any aspect of your work with a vulnerability, Apple strongly encourages (and rewards, through the Apple Security Bounty) that you report the vulnerability, but you are not required to do so.
So vulnerabilities found through this program are not eligible for any reward. Then what would be the incentive to enroll (and accepting liabilities like losing the device, Apple suspecting you of breach of contract etc)? Just bragging rights?
I think that is supposed to be read as "you must report any vulnerabilities, which will be treated as any vulnerability you chose to voluntarily submit".
So vulnerabilities found through this program are not eligible for any reward. Then what would be the incentive to enroll (and accepting liabilities like losing the device, Apple suspecting you of breach of contract etc)? Just bragging rights?