Recently the security researcher Linus henze encountered a failure in macOS Mojave that gives access to passwords stored in Access s Keys.
We have already commented on the details of the bug itself, as well as Henze's displeasure with Apple for one simple and fair reason: today, the Ma 100's bounty program (which pays for bug-finding hackers) % focused on iOS; that is, as much as anyone finds a highly serious bug in macOS and passes all the information to Apple, they will not get a dollar for it. Because of this dissatisfaction, the researcher decided not to share the details of his research.
So far, no news. However, a few days ago Apple decided to contact Henze, asking if he would send the details of the exploit. He then made an offer in my view, quite fair to the company: would deliver all the details, including a patch fix the problem so the company can fix everything very quickly, on condition that someone at Apple sends an official response explaining why there is no reward program for macOS.
On Tuesday @Apple contacted me and asked me if I would send them the details about my exploit. I told them that I would if they accept my offer. However, I've got no response from them. Today I wrote them again. Attached is an image of what I wrote. pic.twitter/GcNv8VQISH
– Linus Henze (@LinusHenze) February 8, 2019
Although Henze's goal is to receive for his work, the researcher has not asked for a financial reward or anything. What he wanted was to hear from the company what a lot of hackers would like, too, because by creating a rewards program focused solely on iOS, the clear message lies between the lines that only the security of these users matters.
Henze questioned Apple once and got no answer; days later sent a new email and nothing. The statement did not come, but Henze decided to share the information anyway because he believes that the safety of macOS users is more important than anything else.
Ive decided to submit my keychain exploit to @Apple, even though they didnt react, as it is very critical and because the security of macOS users is important to me. Ive sent them the full details including a patch. For free of course.
– Linus Henze (@LinusHenze) February 28, 2019
As the 9to5Mac He said it was a shame that Apple didn't even recognize the mistake of not offering such a program at all in any technology company. I wouldn't be surprised, however, if the company very soon claims to be creating something like that.