>>hotpxl+Pf https://support.apple.com/en-us/HT201220 has a section for “Security and privacy researchers”. The process is to send mail to product-security@apple.com, optionally encrypted by Apple Product Security's PGP key. A developer account is not required.
Since this page is the top search engine hit for several obvious searches (for example “report apple security vulnerability”), hopefully Mr Masri reported it there.