A German teenager has released details regarding a Keychain security flaw in macOS to Apple after discovering it in February.
The eighteen-year-old Linus Henze, who dubbed the flaw ‘KeySteal,’ initially refused to share details with Apple because the company didn’t have a bug bounty program for macOS.
Bug bounty programs are common in tech as a way to reward researchers for discovering bugs in software. Apple runs a program like that for iOS but has no similar program for macOS.
Henze argued that his refusal wasn’t about the money, but about the creation of a bug bounty program for macOS. Ultimately, he chose to share the details with Apple because “the security of macOS users is important” to him.
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
Additionally, Henze included a patch in his submission to Apple, and he did so for free.
The zero-day macOS vulnerability could allow an attacker to obtain sensitive data stored in the Keychain app, such as passwords and other login information.
Henze hopes Apple will change its stance and offer a bug bounty program for macOS.