A good deed never goes unpunished. I don't know if I would ever report a security problem like this for fear of needing to deal with this kind of head ache (at least with a non-Google-type company).
Anybody have any idea whether my feelings are being unduly influenced by familiarity with these kinds of stories? I doubt there is any real data to make a decision with, but I like to try to stay at least a little rational.
Not really strange. I generally don't report security vulnerabilities either when I find them. Sure, if it's a simple process to file an issue, or I know a knowledgeable person in charge of the system, I'll do it.
But otherwise I simply don't feel like explaining it. I don't feel I have the moral obligation to jump through hoops to get through all the customer bla-bla to someone who understands, and face legal issues, just because I bump on some 'bug'. Someone else will find it eventually. Choose your battles carefully and such...
Anybody have any idea whether my feelings are being unduly influenced by familiarity with these kinds of stories? I doubt there is any real data to make a decision with, but I like to try to stay at least a little rational.