A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program. Linus Henze, a German 18-year-old, said that the vulnerability exists in the application s access control and enables him to extract local keychain passwords without root or administrator privileges, and without password prompts. In 2017, researcher Patrick Wardle discovered a similar critical vulnerability in macOS that allows an attacker to dump passwords in plaintext from the macOS Keychain.
Source: https://threatpost.com/macos-zero-day-exposes-apple-keychain-passwords/141584/