IAP receipt validation - null Bundle ID

Our app has been in operation for years with thousands of users but today we found a user whose receipt comes with an empty bundleId and application version (null to be precise) and curiously with an odd value for download_id: 9999. Does anyone know how this could happen??
We also found this this happened for the first time today. Exactly the same issue except our download_id was nil. Weird thing is that the bundle_id isn't just null but its the string "null"

Also note: the receipt from the users device was correct but this issue was present in the unified receipt sent from the App Store INITIAL_BUY event callback.

I am pretty certain it's a bug on Apple's end but nothing conclusive yet.
Yeah I'd like to know if there are ways to reach Apple about this. Our code runs validation for the bundleId so the receipt parsing fails when we get a null bundleId.

Came across this issue today when I investigated some beta user reports... We have used on-device receipt verification for several years, and this was the first time I've ever seen a receipt with the correct signature but with bundle_id set to null (and it is not unassigned but actually a string with the contents set to "null")...

Anyways, in our case I managed to narrow it down to being receipts that is downloaded from AppStore using the SKReceiptRefreshRequest while the app has been installed from TestFlight...

When I install the latest AppStore version and request the receipt with the same API call, I get a correct receipt with bundle_id set to the expected value, and when I install the TestFlight version and request the receipt, I get a signature valid receipt, but with an invalid bundle_id (and lots of other fields are missing as well)

IAP receipt validation - null Bundle ID
 
 
Q