@WPalant If I understand right, the developer found hard coded credentials being used to connect from his instance to the vendor. I think at that point, he has no reason to believe that using those credentials will give him access to anything other than his own data. As soon as he saw otherwise, he backed out and did responsible disclosure. Two thoughts:
1. This will have chilling effects on responsible disclosure (perhaps the goal).
2. If you give me the credentials needed to access a dataset, I don't think you should be able to claim the existence of those credentials as an access control meant to keep me out.
@pivot So much for the theory. I would very much like to see the next court instance see things in this way. It’s not a given unfortunately.