This more or less happened to my friend circa ~2000s. They were technically amazing for our age. When the school “database” was deleted they and a friend were suspended for an entire month, almost expelled.
Turns out they had warned their teacher that the files were in a public shared folder and anyone could just literally delete them. No backups, these were grades, assignments, etc for dozens of teachers over many years. They were severely punished for trying to disclose a vulnerability essentially and blamed for the whole thing.
This more or less happened to my friend circa ~2000s. They were technically amazing for our age. When the school “database” was deleted they and a friend were suspended for an entire month, almost expelled.
Turns out they had warned their teacher that the files were in a public shared folder and anyone could just literally delete them. No backups, these were grades, assignments, etc for dozens of teachers over many years. They were severely punished for trying to disclose a vulnerability essentially and blamed for the whole thing.
Never report vulnerabilities yourself to an organization, always use a neutral, trusted third party to report it.