I think this is actually the security researcher's fault. If you read the small print, this kernel bug doesn't meet the Bug Bounty Qualification Criteria of being on an OS that Apple actually gives a shit about.
They did Apple a solid, but not in accordance with the precise terms as laid out by Apple, so it's perfectly justified for Apple to take the researcher's work for nothing?