Last month, we covered a macOS Keychain exploit that seemingly could expose user credentials and passwords. At the time, the researcher Linus Henze did not disclose the workings of the exploit to Apple as a protest because Apple does not offer a bug bounty reward scheme for macOS. Despite no change on that front from Apple, Henze has now decided to share his findings with the company to protect users.
The iOS bug bounty program launched in 2017. The lack of bug bounties for macOS exploits is seen as a slight against Mac users, as if Apple does not value their security as much as iOS customers. Many believe that Apple will eventually set up a macOS bug bounty program, it’s just dragging its feet.
Henze is obviously upset that his work will seemingly go unpaid, unless Apple changes its mind soon. Around the time that we originally covered the bug, Henze says that he received communication from Apple asking him to send them the details of the exploit. He said he would if he could get a commensurate payout for his findings. Apple did not respond. On February 8th, Henze sent Apple Security an email asking for an official statement as to why Apple is not offering a bug bounty program for Mac users.
On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote. pic.twitter.com/GcNv8VQISH
— Linus Henze (@LinusHenze) February 8, 2019
This email was also apparently ignored. It’s disappointing that Apple would not at least acknowledge that a macOS bug bounty program is in the works. With his stunts falling on seemingly deaf ears, he has now submitted an explanation of his exploit to Apple as he believes a critical patch is necessary to protect Mac users.