I suspect the reason Ian hasn't claimed the bounties himself is because Project Zero has very specific disclosure rules. Once reported, a vulnerability gets released to the public in 90 days, even if unfixed for example.
Part of the requirements for joining apples program is probably to agree not to disclose vulnerabilities at all once discovered.
It makes sense when you think about it. Google pays Ian a salary to find bugs and treat them the way project zero wants. If Ian went to Apple, they would pay him a reward to treat the bugs the way they want. Trying to claim both is double-dipping.
Part of the requirements for joining apples program is probably to agree not to disclose vulnerabilities at all once discovered.
It makes sense when you think about it. Google pays Ian a salary to find bugs and treat them the way project zero wants. If Ian went to Apple, they would pay him a reward to treat the bugs the way they want. Trying to claim both is double-dipping.