[tptacek]

The FBI is not going to come after you for publishing a DOS vulnerability in a mobile app; in fact, you could find and publish remote code execution in an extremely popular application (say Instagram or Twitter) without even telling the vendor and still not be in any trouble. People do it all the time.

Most of the stories you hear about people getting in actual trouble over vulnerability research involve web vulnerabilities. You cannot hack someone else's web site to make a point, even if the underlying point is unimpeachable ("this application is insecure and people should know about it").