You'd better send for two hours next time, they know what to do. And your head won't hurt.

Legally, they can. In reality, it depends on the adequacy of specific people.

If the goal had not been set, they would not have been found!
And if you found it, then you had a goal.
Those. intentional actions.
And deliberate - a crime.
That's the whole logic of people who replenish their PR-level for issuing people like you in a negative form to those who do not understand anything about this...
Unfortunately...
Good luck to you!!! (you will need it!)

Everything is possible with us.
And the legitimacy of what you did was introduced at the legislative level only in the Netherlands, as far as I know, and there was an article on Habré.

1. Zayuzay vulnerability
2. Rub the logs.
3. Inherit with a proxy.
4. Send feedback to admins.
…
5. PROFIT

Well, what do you think?
Imagine you are a local admin/head of it department. I want a promotion and a bonus, but here you are so handsome with a report. If it was a hacker through the tor then find him and prove it, and you wrote to those support directly from your home computer, come and imprison. Television, bonuses, promotions, the homeland is safe, they give you a couple of years on probation, everyone is happy, incl. you got off lightly. And what to work now only as a loader, well, what to do.
On the other hand, having inherited in the logs and not writing technical support, you risk probably even more.
Thus, it turns out just by accidentally discovering a vulnerability you already have one foot in jail.
Well, if we consider the negative scenario. Perhaps there is a good guy at the head of the IT department who will send you a letter of gratitude, but practice shows that more often than not.
At least here: habrahabr.ru/post/166459/
The president of Skytech said that the guy faces 6 to 12 months in prison if he doesn’t come right now and sign an NDA ...