I need some clarity here.
Is he asking for money, recognition or both?
If it's money, I have bad news for him - even if you don't set a price on it I think you have already passed the point of probity, and if you want to know how that works I only have to highlight the FaceTime bug which has emerged as been known for a LOT longer than when it got acknowledged publicly (btw, still waiting for a fix on that although I have just seen something show up in iOS betas).
There's also the fact that it's now out there that it is possible, so it's not going to take that long for someone else to work it out - thus, even the limited disclosure for publicity (read: pressure) reasons is causing harm.
That said, I can see where he's coming from and frankly, I'm a bit disappointed with Apple having not much of a program in this respect. Microsoft has it because it sorely needs it (that said, they don't pay for all fixes either - one of the rather major Outlook password bugs just got fixed quietly without the people who discovered it being paid a penny).
Must do better - all of them.