Do I work for free? No. But then I don't spend days, weeks or months working on a company's product when they have no idea I exist.
The researcher knew Apple did not offer a bounty, but invested the time anyway.
Now... having said that...
I think Apple should offer a bug bounty. It's a great way to attract the attention of these skilled researchers. But the security community surely has better ways of engaging with Apple than withholding information about a potentially critical bug. Since they offer one for iOS, Apple are clearly not against the principle.
If the bug has been found, it should be disclosed so that it can be fixed in order to protect millions of macOS users -- that's the right thing to do. Rewarding researchers for finding bugs is also the right thing to do.
If that's the case, then Apple has no incentive to provide a bounty program whether he reports it or not. He might as well kept quiet and let the nefarious hackers find the bug.
[doublepost=1549782990][/doublepost]
The user must be logged so a stolen Mac would not be vulnerable unless it was stolen while unlocked. This isn't really all that "Nasty"... just sloppy/bad.
A bug like this is not necessarily nasty. It becomes nasty when a bug in Safari allows remote code execution which then exploit the Keychain bug.
[doublepost=1549783281][/doublepost]
No, I am staying that someone would need physical access to a Mac, would need to have the user password en manage to install a malicious app in order to get access to the keychain information, without the owner having a clue.
To me this is the same as saying, I allow me access to your house, I gave me the key and pointed out were I hide my sensitive information.
That is not a bug, but me being stupid.
You don't need physical access if you can exploit a remote execution bug in Safari which can then deploy the Keychain bug. The browsers Safari, Chrome, Edge, Firefox, etc... are full of bugs and many of them are critical RCE.
[doublepost=1549783794][/doublepost]
Maybe because it would be the right thing to do?
Geez kinda like the "right thing to do" was to deny^100 until irrefutable data is provided.
Antennagate
Bendgate
Touch Disease
Batterygate (secret throttling)
Did I miss anything else?
[doublepost=1549784734][/doublepost]
Nobody asked him to perform the security test. He did this in his free time. Why the hell should he now blackmail Apple? Also, if he considers himself "good" hacker or "ethical" hacker, he disqualified himself by asking for any kind of money with this. If he wants to be paid by Apple, then he should submit CV and become their employee.
He's asking Apple to have a bounty program for MacOS like Google (Chrome OS and Android) and Microsoft (Windows). It's a far better approach for Apple than hiring a person permanently full-time. No need to pay them $150,000+ every year.
[doublepost=1549786329][/doublepost]
Apple has chosen not to offer any bug bounty programs for OS X at this point. Nobody knows the reasoning behind that decision. Again it doesn’t mean that some guy can come and play basically entitled victim for something he wasn’t asked to do. End of story.
It's not that difficult to take a guess. A proper bounty program offer security researchers huge incentives to find defects. No bounty program = no incentives = "no" bugs = macOS is pretty safe, right? It's rather ironic that Apple is all about security "We designed macOS with advanced technologies that work together to constantly monitor, encrypt, update — and ultimately keep your Mac safer." and yet they have no incentives for responsible disclosures.
Guy: You have a bug in Keychain.
Apple: Sure let's have it. Thx for your time.
Guy: You should offer a bounty program.
Apple: No
Guy: Okay, you can have your employees find it.
Apple: Sure
Guy: Fine
Apple has no obligation to offer a bounty program, but Apple is hypocritical to its customers on security. It's hard to believe that Apple being the wealthiest company in the world, doesn't have a bounty program for macOS that provide fair incentives to the responsible hackers.
