Typically if you think you found a security vulnerability and/or quirk, you contact the company before writing it up and hitting publish[1]. That way the company is not left in a potentially vulnerable state.
I disclosed this personally 4 years ago via hacker one. The larger issue, imo, is that it indexes the content and allows an attacker to craft search terms which reveal the full contents of the document sort of like a blind SQLi. I was told it was working as intended and my report was black-holed on h1 and was told via email that it was "informational" and not a vulnerability.
It's lame to come on here and act like people reporting this are acting in bad faith. I asked for permission to talk about it and was granted it, so I don't see why the author of this post shouldn't be able to do the same considering he doesn't even get into the search indexing aspect. The company is in a vulnerable state due to negligence in addressing the issue, not because it was publicly disclosed.
It's lame to come on here and act like people reporting this are acting in bad faith. I asked for permission to talk about it and was granted it, so I don't see why the author of this post shouldn't be able to do the same considering he doesn't even get into the search indexing aspect. The company is in a vulnerable state due to negligence in addressing the issue, not because it was publicly disclosed.