After a German-based security researcher claimed last month to have found a MacOS security solution to access keychain-stored passwords and user information, he said he had his position on the Sharing this information reversed With Apple reported 9to5Mac on Wednesday.
Linus Henze shared his obvious findings in a YouTube video he shared on February 3. However, he said that he did not intend to share the exploit with Apple, claiming the decision was based on the fact that the tech giant has a bug bounty program for iOS, but not macOS. Henze wrote that he hoped "this forces Apple to open a bug bounty program at some point." But no cigar.
Henze claims he was contacted by Apple for the February 5 security exploit, which he apparently had time to file for the exploit and a patch if the company made an official statement about why lacks a macOS bounty program, in a screen grave he shared with Twitter . He claims that after receiving no response from the company, he had followed up the Apple security team with the same offer.
On Thursday, Henze tweeted that he had shared the information with Apple, "although they have not responded, as this is very critical and because the security of the macOS user is important to me. " We have informed Apple about the obvious exploit and will update when we hear again.
Apple's bounty for iOS has been around for a few years, but even it's not perfect. At first, people interested in the dough thought that bugs were worth too much to report directly to the company, Motherboard reported in 2017 (a follow-up report from last year has shown that something has changed ). Nikias Bassen of Zimperium told the site back then that researchers could "get more money by selling their mistakes to others."
Even Keith Hoodlet, a trust and security engineer at the cybersecurity platform Bugcrowd, said in Wired in 2017 that Apple "would likely benefit from a Bug Bounty program that is slightly wider than just iCloud or iOS infrastructure. " And honestly? That does not sound like such a terrible idea.