Right, and there's no possibility to do research/testing anonymously anyway.
You use your personal e-Signature/ID card to logon to government sites, your logon is always tied to you.
It's possible that the programmers who built the system are really bad at security and really good at audit logging but I doubt it. Personally I would take the risk but I understand why others might not want to.
One of the first things I've recommended with systems that deal with PII or secret data is to see if the vulnerability being reported or discovered has been exploited in the past.
Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..