What to do if you find a security problem in macOS

Occasionally, users bump into something in macOS which looks like a security problem. It may not even be in macOS itself, but in an app which you’ve obtained from the App Store. This brief article explains what to do next.

A couple of years ago, this happened when one of the leading Mac forensics experts was browsing their Mac’s log. They noticed that one of the messages there contained in plain text the password they had set when formatting an encrypted external volume. It turned out that this was a general problem with that release of macOS, as a result of which many encrypted volumes could have been compromised. Apple fixed the vulnerability quite quickly, and even changed the way that logging works to avoid any recurrence of such leaks.

Apple takes security vulnerabilities seriously, even if you’re not a developer and can’t give technical details. If you come across any security issue in a currently supported version of macOS, in any of Apple’s apps, or affecting an app provided through the App Store, please report it to Apple by email to product-security@apple.com as detailed here.

You won’t normally be awarded any bounty or reward for your report. However, if you’re a security researcher, developer, or system administrator and can provide full details of the vulnerability, you may be eligible for Apple’s Security Bounty. This can pay up to a million dollars, but requires considerable detail including a working exploit. Details of the programme are given here.

Reporting issues that aren’t directly related to security isn’t as likely to elicit a response from Apple. One way to do this is through Apple Support, you can provide online Feedback, or, if you have a developer account, you can file a bug report using Apple’s Feedback Assistant.