I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).