Security vulnerabilities can be found anywhere, and I'd much rather know about them than find out when my data ends up in a data dump somewhere. To that end, if you find a vulnerability in my site I encourage you to report it responsibly to me. I return I won't take legal action against you, so long as you've followed the guidance above.
What is responsible disclosure?
That's a big discussion point in itself, but in this instance I mean reporting the issue to me, and only me. I'll then look to verify and resolve the issue before you disclose it more widely. You should avoid making any changes to the site (beyond a proof of concept, which must not be malicious).
More information on responsible disclosure on Wikipedia.
How can I contact you?
See my security.txt.