It is not uncommon for dangerous security holes to be discovered in Apple's operating systems. Apple recently had to deactivate its Group Facetime service because it was possible to eavesdrop on contacts.
About a month ago, security researcher Linus Henze found a hole in Apple's keychain under macOS 10.14.3 and made it public on YouTube. Here he demonstrated how the bug worked - but for a specific reason he did not want to give any further details. In the video, Henze demonstrates how a tool could easily read the entire password collection. The prerequisite: The tool must be running on the respective Mac. The program can be hidden in an app and does not even need access rights to the keychain itself - it strikes when the user unlocks the Mac keychain themselves. He did not give any exact details at the time - nor did Henze want to explicitly disclose the error to Apple. He justified this stance by saying that Apple does not have a bug bounty program for macOS - which all other manufacturers do.
Henze shows insight
Now the security researcher seems to have changed his mind. He says he has passed on all the details to Apple and has even prepared a patch to fix the bug. Despite this insight, he continues to criticize the lack of a bug bounty program for macOS. Apple itself only has such a system for iOS, but it does not work particularly well. An update to eliminate the gap should therefore follow soon.
