Why? It's Apple's bug. Someone found a bug Apple doesn't know about. Why should they be required by law to tell Apple about it?
Apple should find their own bug, or, you can find it, and tell Apple about the exploit for free.
1. It is actually virtually impossible to find all the bugs. Even Intel can't find bugs on its own in its CPU firmware that despite having one of the most strictest QA validation program on the planet.
2. Because this bug allows someone to break the security. If you have a house that uses a security system and someone found a bug in it, and instead of telling the authorities, he or she tries to sell it. If your house was robbed as the result of this bug and the person who sold it knew it was going to happen, you wouldn't blame the person for not telling the cops about the issue?
3. This firm didn't find any bugs, they intentionally started a contest and paid someone big bucks for the bug and knowing that this is a major security bug, they decided to withhold it from Apple and sell the exploit to anyone who is willing to pay.