The U.S. Attorney's office has charged an IT security expert with unauthorized computer access after he report a vulnerability on the University of Southern California's website. No data was modified or deleted. He also notified USC through SecurityFocus, giving them time to fix the problem, before going public. More info and commentary at NIST.org
(Please return here to comment)
Quite frankly I think the USC did the correct thing by notifying the FBI.