Numerous security researchers complained that the Weev/ATT case had unfortunate implications for security research. I'd argue it had even worse implications for the customers of companies whose calls US Attorneys will take. When they call the prosecutors rather than their IT staff, the customer suffers. Reasonable people can disagree about the proper form of disclosure, but surely the CFAA doesn't contribute constructively to that conversation.
I'm not happy with the idea that an IRC log taken out of context created a conspiracy conviction for Auernheimer, but that said, this is a bit of a false dichotomy. The options aren't simply "silently tell the company" and "publicly shame the company by publishing sensitive data". There's also "tell the company and present a timeline in which you're going to alert the press of the vulnerability without publishing personal information of any sort"; that option is the gold standard used by security researchers.
Having said all that: testing for vulnerabilities in other people's deployed web applications is fraught and should be so. If you think consumers should be entitled to know about vulnerabilities, tell them to use only applications with a published disclosure policy, like Google and Facebook and 37signals have.
Indeed that is excellent advice. I'm not sure what one's options are with respect to mobile phone service (this seems like the sort of thing "Ting" might do), but I'd avoid ATT.
