Days ago we commented on the work of Linus henze in relation to the discovery in the macOS keychain, which allowed through a exploit, access credentials and passwords contained in our Mac.
There are more and more users on macOS and therefore the industry is turning to this operating system, including security researchers. This time the researcher had decided do not share with Apple the discovery of the finding given that Apple does not reward researchers for security holes in macOS, which it does with iOS. But finally Henze has decided to share his find.
Henze does it for users, but Apple agrees to review its rewards policy, in this case for macOS. As we said, in iOS there is already a similar program since 2017. Until that moment, the errors found in macOS were insignificant, but time seems to indicate that these errors were there, but nobody had noticed them. The demand of researchers like Henze, is that their work is unpaid, as if it happens in other operating systems such as iOS.
El investigador received a communication from Apple asking him to send them the details of the attack. I answer that I would if I could get a financial benefit from your work. Later, on February 8, he asks by email to AppleSecurity, the reasons why you don't have a bounty program on Mac users' bugs found.
In the first place, Apple ignored this email, because he did not want to deviate from the line applied to the rewards program of his products. Apple should review its policy, as it favors the same company, as well as users of an operating system that for a long time carried the emblem of the most secure operating system. With the information provided by Henze, surely Apple will prepare a patch that we will see in the next few days, available for installation.
