It's definitely a fine line.
While the assumed "right / moral" thing to do is report the bug to Apple (or whatever vendor) and get it fixed, there are a growing number of security-related sites and companies who will readily pay for this type of information disclosure, and companies like Apple really need to consider whether they want the information released to those companies, first, before they have a chance to fix them. Ethics would say the author of the post should just give the exploit info to Apple, but all things considered, one can easily see why a person might just submit it to someone else, who's readily willing to pay for it. After all, as the post says, "Apple pays people to do the same job so we know there’s value to this work." So if they can pay people to do it, why can't they shell out a bit for an outsider, who found something that, perhaps, their paid help did not?
I personally wouldn't charge for a finding, unless I was being contracted / paid to look. If I found something, otherwise, because I felt like digging around - well, that was my choice / my time, and I wouldn't expect someone to pay me for my own fun and excitement. I'd have to agree with NickFnord, in that, if I went looking, and then asked them for pay for finding their bugs, I'd feel like it was 'extortion.'
It's a rough world we live in... and definitely a touchy subject to many.
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH