Security Researcher Shares macOS Exploit Information with Apple for Free

• Security researcher Linus Henze published an exploit affecting Apple’s macOS in February.
• Apple reached out to Henze, but the security researcher refused to share the exploit due to the lack of a bug bounty program.
• After weeks of waiting for an official response, the security researcher has retracted his stance and has sent the exploit details to Apple.

Apple has had a bug bounty program in place for years for iOS to reward researchers who spot critical bugs that affect the operating system. However, a similar program is not available for macOS to incentivize bug reporting. Germany-based security researcher Linus Henze discovered a bug in macOS that potentially could allow hackers to break into the operating system which was first covered by 9to5Mac. The exploit can be used to retrieve passwords and other user information stored by users in Keychain.

Henze published his findings online last month but chose not to share the exploit with Apple because of no bounty program being in place for macOS. But the security researcher has retracted his stance on the matter and shared it with the tech giant eventually. Henze hopes that the company launches a macOS bounty program similar to the one for iOS.

On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I’ve got no response from them. Today I wrote them again. Attached is an image of what I wrote. pic.twitter.com/GcNv8VQISH

— Linus Henze (@LinusHenze) February 8, 2019

Apple had contacted Henze on February 5 to ask about the security exploit. The researcher agreed to submit the exploit only if Apple would offer an official statement on why the company does not have a bug bounty program in place for macOS. The tech giant did not agree or even respond to the offer even though Henze reached out for a follow up after the initial conversation.

After being ignored for weeks, Henze revealed that the security of the macOS platform is important to him and he will be publishing the exploit details to Apple. While the iOS bug bounty program has been in place for over two years now, there have been issues surrounding it as well. Apple was not particularly welcoming to “outsiders,” and only researchers who have been invited to the program are usually paid when they find any exploits.

Do you think Apple should implement a bug bounty program for macOS? Let us know in the comments below. Don’t forget to join our discussions on Facebook and Twitter.