After discovering an undisclosed vulnerability on the Internet but not exploiting it, from the perspective of ethics and social responsibility, it is more appropriate to report it to the developer, but strictly speaking, there may be no absolute legal obligation to report it. **Ethics and social responsibility**: - Reporting vulnerabilities helps maintain the network security ecosystem. This can prevent malicious attackers from exploiting the vulnerability to cause greater harm, and ensure the information security of many users and the stable operation of network systems. - Demonstrates good network security literacy and moral qualities, and makes positive contributions to the entire network security community. **Legal perspective**: - At present, most countries and regions do not have clear regulations that unexploited vulnerabilities must be reported. However, if someone subsequently exploits the vulnerability you discovered to commit illegal activities, and you have previously known and been able to report it but did not report it, it may trigger discussions on legal issues in certain circumstances. Overall, although there is no mandatory legal responsibility, proactively reporting undisclosed vulnerabilities is a behavior worth advocating, which is of great significance to maintaining a network security environment.