There's a Mac vulnerability that could leave passwords vulnerable to malicious apps. But, Apple can't fix it because the hacker that found it won't tell them how. Not until he gets paid, and not until Apple sets up a bounty program so all Mac security researchers will be paid.

From Forbes:

Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you're using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.

To make matters worse, it's likely that no fix is in the works. Henze isn't disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack's details secret from the Cupertino giant.

That Apple still hasn't launched a Mac bounty program to go along with its existing iOS bounty program isn't just perplexing, as a customer I find it utterly unacceptable. But Henze, who has previously dropped 0day vulnerabilities on the Mac community, wrongdoing here won't make that right.

Disclose, then, in the publicity that follows, tear into Apple for not having that program launched already. (Apple has all but said outright that they're working on it.) Tech pubs would like nothing more than to plaster that headline across the internet and get all the attention needed to push Apple into action.

But, other people could have discovered this vulnerability as well and holding it hostage to extort a bounty is just unconscionable.