Whether or not you have a duty to report an undisclosed vulnerability to the developer after discovering it often depends on a number of factors, including ethical, legal, and practical considerations. 1. **Ethical responsibility**: From an ethical perspective, reporting a vulnerability can help protect the security of users and prevent malicious attackers from exploiting the vulnerability. Therefore, many people feel a responsibility to notify the relevant developer or company so that they can fix the vulnerability. 2. **Legal responsibility**: Legal responsibilities may vary from country to country or region to region. In some jurisdictions, holding or not reporting a vulnerability may be considered illegal, especially if the vulnerability could pose a threat to the public or the company. 3. **Responsible disclosure**: Many companies have a "responsible disclosure" policy that encourages researchers or discoverers to notify them in a timely manner without making the details public. This often gives the discoverer protection and, in some cases, a possible reward. 4. **Personal risk**: When reporting a vulnerability, it is important to ensure that you are not legally or professionally at risk, so it is usually recommended to report through official channels or with the assistance of legal counsel. Overall, even if you do not exploit a vulnerability, proactively reporting to the developer is often seen as a responsible and constructive approach that helps maintain the overall health and security of the cybersecurity ecosystem.