[anglebracket]

>The attack made the code throw and exception and some of my escaping characters caused havoc with their error logger

Heh, something similar happened to me during a recent audit. I didn't even know until an admin emailed me saying that I'd broken a bunch of batched jobs, and not to test that until it was fixed.

>A generic, flimsy, non-personal "everyone can try and 'hack' us and it's OK" policy published somewhere is just too little protection

It hasn't worked out too badly for me. I stay away from industries with lots of "suits" (banking, etc,) but if a company is implicitly encouraging independent pentesting by publicly crediting reporters, and you act in good faith, I can't see any charges sticking.