Should I tell the other party whether to be rewarded or punished for the discovered vulnerabilities?

Today I suddenly think of a question:

If a discovers a Password vulnerability that a company B provides to customers, such as a blog or album space, he can master the method of cracking, then, when a does not perform any destructive actions, he will take the initiative to tell B what kind of compensation should a get? What will you do if you find it? Audible color? Will it be a bit difficult? It's like seeing a neighbor's door unlocked?

Then, a netizen's answer surprised me very much: "around 2002, a traditional hacker discovered a company's vulnerability and did not do anything bad, in addition, a patch program was written to the company. (These actions must be observed by traditional hackers), but the company has taken the hacker to court. ."

Before a hacker discovers a vulnerability, he must use an unusual method to try it. I used several keys and several methods to find that the bank door can be opened under certain circumstances. I opened and closed the door. Then I did not disclose the method and took the initiative to notify the bank, have I broken the law? (In fact, I already think this is against the law, otherwise it will not be a mess, then it will be OK ?) I think there is still a little truth, but the software and hardware layers should not be confused. I think, from a legal perspective, it is more important to look at motivation. However, if you try to open the bank door, even if your motivation is to exercise the door-opening technology or purely fun, and you do not want to gain benefits from it, no one will believe this motivation.

Be careful when trying to discover or accidentally discover other people's vulnerabilities.