That is one hypothetical scenario, yes. Another hypothetical scenario is that as a result of responsible disclosure the site owners patch the hole and ensure customer data isn't publicly accessible before the vulnerability is public knowledge.
Seems reckless to me to not even _try_ responsible disclosure. You don't have to wait a year. But at least give a chance for the problem to be solved before you make it common knowledge.
Seems reckless to me to not even _try_ responsible disclosure. You don't have to wait a year. But at least give a chance for the problem to be solved before you make it common knowledge.