Why Noxen ships via Developer ID, not the Mac App Store

The question I get every time I mention Noxen to another Mac dev: "MAS, right?" And the answer is no — or at least, not for v1. This is the reasoning.

Reason 1 — App Review risk on "vulnerability scanner"

Apple's App Review Guidelines explicitly name-check anti-malware-style marketing (4.5.6). The macOS "vulnerability scanner" category isn't named, but it's adjacent, and Fing only gets on the store by calling itself network discovery.

During Phase 0, Noxen ran an App Store Connect dry-run — push a real draft listing with vulnerability scanner in the keywords, submit nothing, watch what ASC automated flags. Interestingly: nothing was flagged at the automated layer. But the automated layer isn't the concern. App Review is performed by humans, it's much less predictable, and a rejection two weeks into launch is expensive.

If Noxen ever does go to MAS it'll likely need to rebrand ("Homelab Auditor" or similar) to match Fing's hedging. That's a v2+ discussion, not a v1 launch decision.

Reason 2 — Sandbox is fine, App Review is the risk

Noxen's scan pipeline is genuinely sandbox-compatible:

• Network client over SSH / TCP / TLS — com.apple.security.network.client.
• ~/.ssh/config via NSOpenPanel + user-selected file access.
• Scheduled scans via SMAppService instead of dropping a raw LaunchAgent plist.
• Local-network port scan needs the Local Network entitlement on macOS 15+. Normal.
• Keychain, CloudKit, SwiftData, PDFKit, native networking APIs — all fine.

So the technical path to MAS exists. Pareto Security famously can't ship on MAS because their checks need system state outside the sandbox. Noxen is the opposite: it lives entirely within the sandbox because it talks to remote boxes, not the local one.

Reason 3 — the standard Mac auto-update path is better than the App Store for a security tool

Here's the case I care about: a critical CVE in the CPE normaliser or the matcher itself. I want to ship a fix in hours. MAS needs at minimum several days: submit → review → release. the standard auto-update path ships in minutes after we run fastlane release.

For a tool whose job is helping people close security windows quickly, the update channel shouldn't itself be the delay.

Reason 4 — Economics

Apple takes 30% of everything, dropping to 15% under the Small Business Program (under $1M/year). Paddle as merchant-of-record takes around 5–6% all-in (card processing + their fee). For a one-time $79 product, that's the difference between $59 and ~$74 per sale — close to a 25% revenue uplift on the direct channel, which materially changes whether the project supports its development budget.

Also: direct sales mean actual customer emails, which means I can email customers about security patches when they matter. MAS doesn't expose buyer emails by design.

Reason 5 — Paddle handles EU / UK VAT for us

This is underrated as a reason. Noxen is built in South Africa. If we sold into the EU, UK, and US directly, we'd need a merchant of record, or we'd need to register for VAT in multiple jurisdictions. Paddle (MoR) absorbs that complexity at roughly the same fee level as Apple's small-business 15%, with none of the App Review risk. (We originally piloted with Lemon Squeezy in early 2026 and migrated to Paddle later that year for stronger EU VAT handling and a cleaner license-key API.)

What Developer ID direct actually requires

1. Apple Developer Program membership ($99/year). Already have.
2. Developer ID certificate — free once you're in the program.
3. Notarisation — free Apple service that inspects each release binary for malware.
4. Standard Mac auto-update tooling — open source.
5. Paddle as merchant-of-record — setup in ~30 minutes; ~5–6% all-in per transaction, EU VAT handled.

Fastlane orchestrates all five into a single release lane.

When MAS might make sense

Year 2 or 3, once Noxen has a stable buyer base through direct channel:

• Setapp inclusion — passive audience, modest passive monthly baseline.
• MAS with a "Homelab Auditor" rebrand — if the A/B test says it's worth it.
• Volume purchasing for teams — requires ASC anyway.

But at v1.0, with a single developer and limited review-queue patience, Developer ID direct is the obvious choice. It just doesn't look obvious if you've only ever shipped apps to MAS.