I'm going to put myself on the scale here, albeit a little reluctantly.
So, over the past few months, I've been discovering and disclosing vulnerabilities in IP.Board. So much so, that the president of the company offered me a complimentary license to do my testing. Obviously, with the source in hand, I was able to find many more problems than I would've otherwise.
Where the dilemma comes in - I have a forum based around security which is pretty new and has the need for publicity and members. To this end, I would release the aforementioned vulnerabilities to the public mere hours after they were fixed in the latest revision. (my forum is powered by vBulletin - I wouldn't find vulnerabilities in IPB if I was using it, because I'd be too lazy to update manually and too paranoid to wait for patches)
While it led to an increase in traffic, the new people rarely register.
Anyhow, IPS is aware and hasn't complained about this and I still hold the complimentary license.
My question is, should I continue to search for vulnerabilities using the complimentary license, as well as
giving out tutorials on how to pwn this very software. And whether there would be a viable case against me in a court of law.