I think that the second scenario in your analogy is somewhat creepy too. Why are they trying all of the doors? A person should have a reasonable expectation of privacy in their house, to be able to walk around in their underwear or whatever without someone just opening the door on them.
Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out
If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:
"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".
But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.
That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.
If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.
If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately!
Discovering an actual vulnerability in the first place requires doing something that could be considered hacking.
Ask Weev, while being a troll... Apparently he gets to go to jail for using numbers at the end of a url... ICC ID... So you try one number than another, then disclose it, and yeah... Go to prison. Welcome to America.
Sorry, I didn't word that correctly. I was referring to actually leaving the keys on the outside. What I was trying to get at is the mental image of a shady person skulking around in a backyard. I think many people have that sort of "what were you even doing there" perception of so-called hackers regardless of their flavour. If they instead realized that a public facing interface is something that will inevitably be explored over and over again, they would have a different opinion.
Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out