Now, COME ON! Are you kidding who? Who's to blame if your software is so crappy and full of bugs that you let anyone see your costumers' sensible data? It's better not to know? Let me use Bruce Schniers' words:
Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.
Security is a hard game to play - but, come on, YOU chose to play it. You can even destroy a scene, redifine words like 'legal' and 'ethic'. You can't control the hackers' mind.