When an undisclosed vulnerability is discovered, is there a responsibility to report it to the developer? This question can be discussed from two perspectives: legal and ethical: 1. Legal • Legal responsibilities do not necessarily require reporting vulnerabilities. The specific situation often depends on the relevant laws and regulations of the country or region and the contract terms between you and the platform or service provider. • In some countries, unauthorized security research activities may pose legal risks, so it is best to understand the relevant local policies and regulations before taking action, and seek advice from legal professionals when necessary. • Some institutions and companies have launched "Bug Bounty" or "Responsible Disclosure" programs, which usually reward people who discover vulnerabilities and report them legally; if the vulnerability falls into this category, reporting according to the process can reduce legal risks. 2. Ethical and professional ethics • From the perspective of social responsibility and network security, many security researchers believe that after discovering a vulnerability, the relevant parties should be notified as soon as possible so that they can fix the vulnerability and prevent potential abuse or attacks. • If a vulnerability is maliciously exploited after being made public, it will cause damage to a large number of users and systems, so responsible disclosure helps improve the overall security environment. • It is generally recommended to follow the responsible disclosure process, that is, first contact the developer or company privately, give them a reasonable amount of time to fix the problem, and then disclose the vulnerability information publicly with the consent of both parties. 3. My suggestions • If it is confirmed that the vulnerability is a serious and undisclosed security risk, you can consider contacting the developer or relevant security team. • When reporting, try to provide detailed information, such as vulnerability details, reproduction steps, etc., but at the same time, be careful not to disclose sensitive information to avoid being exploited by criminals. • Find out whether the target company or platform has a special vulnerability reporting process and contact channels, and provide feedback through formal channels. • It is also recommended to collect records related to your own behavior before reporting, to ensure that you can prove that the original intention of the behavior is to improve system security, not for other purposes. It should be noted that I am not a legal expert, and the above suggestions are for reference only. It is best to combine your own situation and expert opinions when doing specific operations. If you are more concerned about the risks, it is safer to seek professional legal and security advice.