Rain Forest Puppy has written an article on vuln disclosure discussing ethics.

"simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY."

I'd have to agree with him and this is something that people aren't taking into consideration when screaming about XSS bugs in major sites.

"The law is the law, and changing that is a long, drawn-out process. While many may not agree with the law, it still is what it is for the time being. And if the laws in your country address cybercriminal activity, than it is likely that looking for security vulnerabilities in a third-party hosted web site is not differentiated in any way from exploiting the third-party hosted web site for malicious purposes. Thus disclosure policies and ideologies that look to describe how to disclose problems found in third-party web sites are a bit of a misnomer, because researchers should generally be discouraged from looking due to the research activity likely to be considered criminal!"

RFP Link: http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx