[LXicon]

i agree with you that preserving anonymity is a valid goal. spending 20-30 minutes on the phone is not how one should run something like a whistle-blower's hotline.

i don't agree with the idea that you are "...being kind and generous by not exploiting...".

[click170]

I'm curious, if notifying them instead of exploiting the bug doesn't qualify as 'kind', then what do you call it?

As far as im concerned that's being bloody gracious and generous.

[LXicon]

yes, notifying them is kind. simply not exploiting them is not.

it's like saying i'm being kind for not robbing someone.

[felipemnoa]

Is more like, I found your wallet here it is and all the money is still there. Perhaps honorable is the right word we are looking for here.

[mailinatortron]

hardly. exploiting the vulnerability is clearly and objectively illegal. It is likely to affect not only the company itself but also any innocent customers one might defraud.