It has not at all been my experience that PGP-encrypted bounty submissions are fast-tracked and most (almost all, in fact) good bounty submissions aren't encrypted. Google downplays PGP in the link you provided. Apple doesn't ask people to use theirs.

Are we looking at the same links?

It is provided as an option, the ONLY option, for those that feel encryption is merited for a sensitive report.

Google page: "If you feel the need, please use our PGP public key to encrypt your communications with us."

Apple page: "Apple security advisories are signed with the Apple Product Security PGP key. Sensitive security information may be encrypted to this key when communicating with Apple Product Security."

I think you missed some subtext that I thought was pretty obvious which is that most people don't encrypt bug bounty submissions in 2025.

> Neither Google nor Apple rely on PGP for vulnerability disclosure handling.

They support and rely on it exclusively for security disclosures sensitive enough to merit encryption.

"Sensitive enough" is smuggling in a presumption of yours that isn't supported by evidence. Whether or not submissions are PGP-encrypted (in my experience: they very rarely are) is uncorrelated with their severity.

In my experience building bug bounty programs for many high risk orgs, PGP reports are rare, as you indicate. Maybe a couple a year.

That does not make them any less critical or relied on. We always took them super seriously and read them offline because they were often highly sensitive real disclosures that merited being exposed only to a very small circle of people with security team decryption smartcards.

It is a safe assumption skiddies do not know how to use PGP so low skill reports with PGP almost never happened.

I would never run a bug bounty program without having an highly visible public key to encrypt highly sensitive reports to.

You haven't responded to my point. I would happily run a bounty program without a PGP key; in fact, I'd recommend not publishing a PGP key, and instead making arrangements to communicate a Signal identity.

If I as a security researcher want to send a super sensitive disclosure to an organization like "I have reason to believe your devices are compromised", I want to be damn sure it goes to a PGP key held on smartcards that decrypt reports on airgapped operating systems.

I also may want to do this anonymously.

Signal is the wrong tool on both counts. Fine to have as an option but I would never have that as the only option.

That is very silly. I founded and ran what was at the time the 2nd or 3rd largest software security consultancies in North America, then acquired and rolled up into what was the largest software security consultancy in North America (NCC Group US), our client list was a phone book of every major tech firm and every major manufacturer and infrastructure company with a significant code footprint, our firm at its peak was generating many game-over findings per day across a wide range of companies, and most of our clients would have gotten angry at us if we told them to install PGP.

More of them required password-protected ZIPs than PGP, so much so that we had a whole complicated document to ensure we were using the versions of ZIP file programs that used AES and not Bass-o-matic.

Apple and Google routinely get findings worth 6-7 figures that aren't PGP encrypted.

PGP-encrypting bug bounty submitters are mostly LARPing.

I will take the Pepsi Challenge with you on experience with bounty programs if you'd like. But here's another question: have you ever been on a major-vendor embargo list before? Was it your experience that those embargo lists were uniformly PGP-encrypted? (I can spoil this one for you if you like).

Tell me more about how major vulnerability disclosures depend on PGP, please.

> That is very silly. I founded and ran what was at the time...

This just seems to be an appeal to authority. I will just say your credentials do not impress me.

Lets just stick to two security engineers on different sides of the same industry having a technical merits discussion.

In any event I did not once claim PGP encrypted reports are common, but I can say of the dozens I have received, most were very high quality from actual security researchers, and some have made me very happy I insisted such reports be decrypted offline on a machine I absolutely trust.

It is good to give people options, and especially at least one that can be used anonymously with a fully open source operating system using a decentralized very widely used and established standard.

I for one have made more than a few very sensitive security reports and do not own a Google or Apple controlled device or a Signal account.

I don't care if my credentials impress you. That wasn't my point. You just conceded the point I was actually making.