Researcher Shares macOS Keychain Exploit With Apple Despite Bug Bounty Shutout

Early last month a security researcher announced that he had discovered a severe bug in macOS that left passwords stored in keychain vulnerable. The catch was that the researcher, Linuz Henze, refused to share the flaw with Apple because he was unable to get paid for his work. While Apple operates a bug bounty program for iOS where finding and reporting bugs gets researchers money, macOS has no similar program.


Henze said at the time that to exploit the bug he had discovered, all the user of the Mac computer had to do was run a simple app. Henze's refusal to share the bug with Apple was a stand against the policy of not paying for bugs found by macOS researchers. Apple and Henze were in a standoff of sorts, and Henze blinked first.

Henze shared details surrounding the bug to Apple despite initially refusing based on there not being a bug bounty program for macOS. Since Apple didn't respond to Henze's demand, he eventually shared the bug with it saying that the security of Mac users was important to him.

It's very curious that Apple doesn't offer a bug bounty program for macOS flaws. The purpose of a bug bounty program is to entice those who discover a bug in Apple software to share the issues with Apple, rather than selling them to others who might use the bugs for nefarious means. At least Henze's move with the bug he discovered did shed light on the fact that Apple offers no incentive to report macOS bugs; many Apple fans were likely to have assumed it did since the program for iOS has been in place for years.