Interesting workaround, although it's kind of so overkill to get a /48 prefix and have 5-10 IP addresses used inside it... and what happens when the abusers will also get a /48?
This guy spent 2 years realizing that "it's a business relationship". I worked at another smaller bay area company and I only spent 2 months to realize that. Google is already much better.
https://support.apple.com/en-us/HT201220 has a section for “Security and privacy researchers”. The process is to send mail to product-security@apple.com, optionally encrypted by Apple Product Security's PGP key. A developer account is not required.
Since this page is the top search engine hit for several obvious searches (for example “report apple security vulnerability”), hopefully Mr Masri reported it there.
If you submit a report on bugreport.apple.com, it will be triaged and (if necessary) passed on to the appropriate team to asses. I fixed several external user reported bugs when I worked at apple. You have to have a developer account to use bugreport. Now that I have retired, I use it. The people triaging do not know I used to be at apple. Not all the issues I report get resolved, just because they are probably low priority. But the important ones are dealt with, usually quite quickly.
They do if you file them at radar.apple.com. I've had back and forths with them on some video card performance issues after sleep after filing a report there.
Radar is Apple’s internal bug tracking system. Outsiders have limited access to it. I believe bugreport.apple.com is the path for submitting bugs as an external developer.
