After a Germany-based security researcher last month claimed to have identified a macOS security workaround to access passwords and user information stored in Keychain, he says he’s reversed his position on sharing that information with Apple, 9to5Mac reported Wednesday.
Linus Henze shared his apparent findings in a YouTube video shared Feb. 3. But he said at the time that he was not planning to share the exploit with Apple, claiming the decision boiled down to the fact that while the tech giant has a bug bounty program for iOS, it does not for macOS. Henze wrote that he hoped “this forces Apple to open a bug bounty program at some time.” But no cigar.
Henze claims he was contacted by Apple about the security exploit on Feb. 5, at which time he appears to have offered to submit the exploit and a patch if the company would provide an official statement on why it lacks a macOS bounty program, per a screengrab he shared to Twitter. He claims that after receiving no response from the company, he again followed up with the Apple security team with the same offer.
On Thursday, Henze tweeted that he submitted the information to Apple “even though they did not react, as it is very critical and because the security of macOS users is important to me.” We’ve reached out to Apple about the apparent exploit and will update if we hear back.
Apple’s bug bounty for iOS has been around for a couple of years now, but even it isn’t perfect. Initially, folks who were interested in the dough found that bugs were worth too much to report directly to the company, Motherboard reported in 2017 (a follow-up report last year indicated that had somewhat changed). Nikias Bassen of Zimperium told the site at the time that researchers could “get more cash if they sell their bugs to others.”
Even still, Keith Hoodlet, formerly the trust and security engineer with cybersecurity platform Bugcrowd and currently the Manager of DevSecOps at Thermo Fisher Scientific, said in 2017 per Wired that Apple “would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure.” And honestly? That doesn’t sound like such a terrible idea.
Correction 3/5/18 3:15 p.m. ET: An earlier version of this story identified Keith Hoodlet as a trust and security engineer at Bugcrowd. He is currently the Manager of DevSecOps at Thermo Fisher Scientific. We regret the error.