macOS root login vulnerability was shared over two weeks ago as a troubleshooting tip on Apple's own developer forumsNote: it's Reddit, so caveat emptor.https://www.reddit.com/r/programming/comments/7gb191/macos_root_login_vulnerability_was_shared_over/
I wouldn't even couch it in terms of a "vulnerability" being shared. . . but rather as a developer sharing a "cool way" for another developer to get to an Admin account who had screwed up their Admin user account. This particular developer seemed oblivious that what he had actually stumbled across was in fact a very serious vulnerability to the Mac's security.
Note: it's Reddit, so caveat emptor.
Yup, it's Reddit, so they paint it with the broadest, blackest brush they can find with the stickiest tar available.
I read through all 225 responses in the Apple Developers' Forum in question and discovered that the vulnerability in question was not actually reported to Apple but rather, as you pointed out, just "shared" as a cool "fixit tip" to access an admin account, presented to a user who had, it turned out, accidentally screwed up their Admin user's credentials. This particular tip was buried about four nest's deep in a series of "tips" for the user to try. The guy who offered it did not even realize that it provided Root access, but just thought it made the person signing on using this tip an Admin.
It is not, however, one of the Apple moderated forums. It is purely a developers' forum for seeking other developers' comments and their experiences in how developers have handled particular problems they may be having with a problem, not Apple's help. There is another area for that. As I understand it, Apple employed engineers do not participate because of potential liability in these forums due to the possibility that some developer is working on an App that Apple may also be developing an in house version.
Unless this was specifically brought TO Apple's attention, it is unlikely Apple would have seen it in this forum.
A couple of developers commented that it appeared to be a serious security concern that one could get to Root without a password and that shouldn't happen. . . but no one mentioned anything about bringing it properly to Apple's attention back in mid-November. I suspect they'd all forgotten that the forum was not an observed, moderated forum.