You prove DDoS vectors exist by DDoSing your own site, or one you have permission to work on. Same with SQLi vulnerabilities. If you want to report a vulnerability you've found to a company, include a working exploit in your report, but don't run it. If the company ignores you or tries to brush the vulnerability off, that's where it gets hairy and responsible disclosure comes into play.
We don't know what his level of communication was with Apple, but it doesn't appear that he notified them before testing this exploit. Had they refused to address the issue or otherwise brushed him off, this would be a reasonable escalation. The same story on r/netsec [1] is being linked to a Forbes article [2], which claims he notified Apple three weeks ago. That's not a ton of time.
Ultimately, he very much violated their ToS and Apple is well within their rights to give him the boot. Whether that was a smart decision on their part remains to be seen.
Since the only place you can install software on iOS devices is through the store, it is important to demonstrate the attack vector by which it can be gained.
It indicates both a security flaw in the platform itself, and a security flaw in the app store approval process, both should be highlighted.
Since he has control over pricing, couldn't he submit with a free price tag, and change it to something insanely high once accepted. That way no sane person would buy it, and he'd still prove his point.
He _had_ to submit an app and get it in for this to work ofcourse, otherwise this was a moot point. And it's a good wakeup call to everyone. Security awewareness helps sometimes unfortunately when you make a splash.
Otherwise, while I think you've got a point (he could have used pricing to ensure no one ran his app), that isn't the issue here. The disclosure is. No one is contending he did something evil with his code, it's that Apple is mad about his code and disclosure. I don't think making it unlikely to be purchased would have helped.
For one, he could have submitted it and then have it "held for developer release" — at which point he told them about it. There's no reason he had to have it actually in the App Store here, even if he wanted to test the approval process.
^^This. And he [1] probably told them immediately afterwards, since otherwise they still wouldn't have known. As he says: he regularly submits bugs.
[1] Or perhaps someone beat him to it: he may not have seen the acceptance mail before someone already noticed the app? I'm not familiar with the exact process: do you need to give final approval or can the app be in the store for a while without you knowing it?
