If you are the white-hat type, it may not be worth your while to report a security vulnerability – you could wind up a prime suspect if the system in question is ever hacked by someone else.
I think this is a law enforcement/investigations issue – they have a set of rules they follow, and those rules really don’t apply in a world where people create software and then give it away. I’m talking rules like “the criminal always returns to the scene of the crime” kind of stuff. Investigators are natually incredulous of help – they have a dirty job to do, so it is not all their fault. They’re jaded.
Conclusion: all the more reason to keep on reporting holes, in order to change the mentality. Cooperation benefits everyone, at least in the long run.
That is, of course, not a wise move if your vulnerability outing plans include extortion.
Bruce Schneier says:
“If people can’t report security vulnerabilities, then vendors won’t fix them.”