In my opinion they don't "owe" anyone that obligation, unless it's a contractual obligation associated with using a Mac. But just because it's not owed to anyone, doesn't mean there isn't a nicer way to handle it just to be nice.

That said, I don't immediately see evidence that this gentleman is in the security field, and perhaps isn't aware of responsible disclosure. Full disclosure isn't the worst thing in the world.