So the problem with this sort of disclosure is that you did it more than once and withdrew money. Once you were aware of the vulnerability, it wasn’t your responsibility to test its limits and it certainly wasn’t a good idea to commit bank fraud to test it out, IMHO.
If you walk by my house and notice that my spare key is visible to passersby, the correct thing to do is knock on my door and let me know or to leave me a note. Using the spare key to open my door and leave the key on my kitchen counter, while helpful, is a violation of my privacy and makes me wonder if I can trust that all you did is put my key inside…
(I coincidentally canceled my Chase card just last month in favor of my Amex, since the Rewards Points are not really redeemable for anything that I want or need (they used to be redeemable for cash and/or Amazon gift cards but not anymore, at least not on my card).)
I wonder what part of the story isn’t allowed to be legally disclosed, this was a fascinating read.