This is exactly the kinda bug where you want to make a big splash though. You don't just want the guy to silently fix it, everyone in the database needs to be vetted again.

Whatever their motive was, the engineering process that allowed such a common bug to sneak in is broken. If the sole developer immediately fixed it, it would have been hard to escalate the issue so that maybe someone up the chain can fix this systematically. I'm not sure such overhaul would really happen but it's more likely that it won't if not escalated.

Agreed that they wanted to fully understand the extent of the hack before disclosing

I came here to say this. Totally uncalled for not to contact the site first that had these holes and instead go to homeland security.

Yes, and what about the possibility that an attacker already accessed this database and added themself as an employee?

Would you rather to be prepared and do a full (well, for a govt agency, full enough) check on all people allowed to access flying death machines, or have a dev silently fix the issue with possible issues later?

ya because the person who developed this is totally trustworthy to fully fix it and assess any other possible vulnerabilities. he definitely isn't gonna just add a front end validation to throw a message on the front end when you submit a single quote...