Back in February we write about security researcher Linus Henze who found a bug in macOS keychain that could allow apps to see passwords held in Mojave’s Keychain.
Henze developed an app he called KeySteal to demonstrate the discovery in action, but refused to inform Apple over the fact that Apple does not offer a Buh Bounty program for macOS.
Since Henze first demonstrated his proof of concept he reached out to Apple on two occasions saying “I’m willing to immediately submit you the full details – including a patch,” he said in an email to the company dated Feb. 5. “If an official Apple representative sends me an official (and reasonable!) statement why Apple does not have nor wants to create a Bug Bounty program for macOS.”
Apple responded on the first contact to discuss the bug but not any discussion of the lack of Bug Bounty program.
Henze has confirmed that he has now informed Apple of all details regarding a bug he discovered in the macOS Keychain security software, and has done so without payment from the company as the problem is too important to keep to himself.
Original source Mac Rumours