Last year, Apple expanded its security loophole program to include macOS along with iPhone. However, according to at least one researcher, the company is not acting quickly enough on some exploits.
Developer Jeff Johnson notified Apple of an exploit that allows an attacker to steal private data with a malicious Safari clone six months ago.
If a user is tricked into downloading the malicious file, the Safari clone provides unauthorized access to macOS. Any restricted files available in Safari are immediately available to the attacker.
Johnson explains that the exploit works because Apple's Transparency, Consent, and Control privacy protection feature performs insufficient checks on the authenticity of a file. This means that the modified version of Safari can run without activating the aforementioned protection.
And yes, exploit also works in the current macOS 11 Big Sur beta.
Johnson says Apple told him they were still investigating the problem, after initially telling him it would be fixed in the spring of 2020. Of course, people are currently flooded with an ongoing pandemic and workers around the world are working online, something justifying delays.
Hopefully the bug will be fixed by the time Big Sur goes public. For more on how operation of the exploit, you can see Johnson's post from here.
