@jollysea no, I don't think there's a big difference between security researchers finding such vulnerabilities in an organized way, and people "stumbling into them" (as far as ethics are concerned).
The crucial question is what happens later. Do they report it and coordinate disclosure with the vendor (or, in this case, people from the LU parliament)? Do they sell to the highest bidder? Do they exploit it for their own gain?