Without any bonus from Apple, Linus Henze decided to submit a serious bug to Apple about the macOS keychain security software. He had chosen to hide the details of the bug before to protest why Apple did not launch the Bug Bounty program for the macOS platform, but now he thinks the problem is too serious and decided not to hide it himself.
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.
— Linus Henze (@LinusHenze) February 28, 2019
Although Apple ignored all the conditions he had previously proposed, the researcher from Germany in early February showed Apple all the details of the keychain security breach. Henze said he has decided to disclose all the details to Apple because he found this error is very critical and said that because the security of macOS users is very important to him.
In a demo video released in early February, he showed that an attacker with ulterior motives could exploit the vulnerability to collect all sensitive data on a Mac device without administrator privileges (or administrator password).