Thanks for your reply. I've softened on this since making that comment. I think there's a huge grey area for responsible disclosure. A week ahead of time? A day ahead of time? I'd consider these fairly grey, but whatever. But I still think not disclosing it to Apple at all and relying on them picking it up through the grapevine is pretty irresponsible.
I've reported three security issues to Apple. While the issues I reported were relatively minor (one was a design flaw in Time Machine, the other a buffer overrun in one of the image decoders; I don't even remember which, and the final one in the DMG handling), I wasn't at all happy with how Apple handled them. I received no email until a couple weeks later when they asked me how I'd like credit. They got patched in the next version of the OS, but in both cases I was left with several weeks of wondering if they'd even read my bug report. The design flaw was easy for the user to workaround (you just had to make sure to remove insecure apps from your Time Machine backup), so I mentioned the workaround a few days after reporting it.
But I can't imagine not at least telling Apple. In fact, one of the bugs I reported was a longstanding bug I found documented in public. I was just the first one to report it to Apple. It got fixed two weeks after I reported it. I just think it's absurd that we accept the bystander effect when it comes to computer security.
(I originally wrote this reply having forgotten of one of the issues I reported, so if there's anything left that implies only two that's why.)