DMGTry to Help, Go to Jail
You may remember the case of Eric McCarty, who spotted a security vulnerability in USC's online registration system, downloaded seven student records to his home computer in order to prove the problem existed, then reported the problem to SecurityFocus.com. SecurityFocus notified USC and gave USC time to fix the hole, and then published an article about the issue.
Well, the U.S. Attourney's office decided to overlook McCarty's good deed, and filed charges of computer intrusion against him, since he had downloaded those seven student records.
McCarty plead guilty on Tuesday, and has been slapped with three years probation with a condition of six months home detention.
Unfortunately, I have to side with the U.S. Attourney's office here. If you think you see a security vulnerability, the right move is to contact the administrator, and make your case. Do not exploit the vulnerability, even as proof there's a problem: you're still conducting an unauthorized penetration test, and can go to jail for computer tresspass.
Yeah, the U.S. Attourney's efforts are misplaced here, but still. McCarty is a security professional, and should know better.