Forget the legal consequences. Reporting vulnerabilities is work. By your logic, by doing some work in my spare time, I am morally obligated to do more work for others. I'm better off just picking something else to work on.
Perhaps so... As long as you recognize that your work is inherently dual-use (it has effects beyond your initial intent), and you don't intentionally hide that fact from yourself or others, then I have no problem with what you do.