At least it seems that they won't assign CVE IDs and credit researchers without compensating them at all (which is what happened when I reported CVE-2024-27811, for example):

> We want those researchers to have an encouraging experience — so in addition to CVE assignment and researcher credit as before, we will now also reward such reports with a $1,000 award.

aren't all bug bounty program at the sponsor's inscrutable discretion?

Yes, but Apple tends to be more inscrutable than anyone else.