Imagine the following situation: I found security vulnerability on a website. The website can be totally destroyed; the data can be stolen and so on. I'm not going to do any of this, of course. I want to notify the owner of the website. But simultaneously I want to publish an article about this particular security vulnerability. So I have two long questions:

1) e.g. I sent the notification to the owner on 12.01.2010. The owner has not fixed the problem till 12.15.2010 - when I published the article. Some unknown guy read the article and ruined the site on 12.16.2010. Am I responsible? Is 2 weeks time frame reasonable?

2) Regarding the notification to the owner. OK, I see the problem. I understand it. But if I tell to a regular online store something like “Hey, you have nginx null pointer dereference” – it says nothing to him. In order to be understood I can (theoretically) upload a file to his website to create a page hiswebsite.com/it_is_a_problem.html. That would be a proof even business people can understand. And it’s harmless. But isn’t it illegal?


Thanks in advance. And sorry for the language. English is not my native language.