They're some of the top security researchers in the world and are given autonomy is why. Which is what the security community has settled on being the right incentive structure when optimizing for end user security.
In the case of these recent iOS bugs, they didn't "air them" until after the fix was released. So any "back channel", if you could call it that, seems to exist for Apple too.
I suspect they are, but backchannel them to the development team, versus airing them.