[bsza]

Nothing morally wrong about finding an exploit in a system, it's what allows you to make it more secure in the future. Perhaps the most ethical course of action would have been to disclose this to Google/OAI first (which I don't know whether or not has happened), but I find that optional in this case since this isn't really a vulnerability in the conventional sense.

[digitaltrees]

Finding an exploit with the intent to patch it is different that finding the exploit and using it for personal gain which, in turn, is different than finding the exploit and publishing it for open source ecosystem use.

It’s kind like if I took a picture off of your facebook with your keychain, and used it to make a copy of your house key. You’d probably prefer I reached out and told you to take down the picture instead of creating a template of the key for anyone to download and make a copy along with your home address.