If the nontechnical team is refusing to forward it to whoever maintains the system, they apparently see no problem and you could disclose it to a journalist or the public. Or you could try it via the national CERT route, have them talk to this organization and tell them it's real. In some cases you could send a proof of concept exploit that you say you haven't run, but they can, to verify the bug. You can choose to retrieve only your own record, or that of someone who gave consent. You can ask the organization "since you think the vulnerability is not real, do you mind if I retrieve 1 record for the sole purpose of sending you this data and prove it is real?"

In jurisdictions like the one I'm most familiar with, it's official national policy not to prosecute when you did the minimum necessary. In a case where you're otherwise stuck, it's entirely reasonable to retrieve 1 record for the sake of a screenshot and preventing a bigger data leak. You could also consider doctoring a screenshot based on your own data. By the time they figured out the screenshot was fake, it landed on a technical person's desk who saw that the vulnerability is real

Lots of steps to go until it's necessary to dump the database as OP did, but I'll agree it can sometimes (never happened to me) be necessary to access at least one other person's data, and more frequently that it will happen by accident

Absolutely not. That's not your concern nor your problem.

They're perfectly capable of hiring incident response experts, and companies commonly have cyber insurance that'll pay for it.

"Demonstrating" is dumb and means you turn an ordinary disclosure into personal liability for you.

Blabbing about it on the internet is just the idiot cherry on the stupid cake.

If your goal is to successfully report and resolve, it is your problem.

Agree otherwise.

In the stories I’ve carefully read, no proof means being ignored by frontline people who are all you can reach,

turning an ordinary disclosure into no disclosure at all.

That's still not your concern or your problem. You're not internet Batman. Opening up yourself to criminal liability for someone else's site is insane.

Lots of good white and grey hats have used anonymity to report for this exact reason.

Whether or not you feel it’s your concern (or “problem”) depends on your thoughts on moral responsibility to others in your society.

Yeeeeah, that's not how it works lol. Anyone who does offensive security for more than 5 minutes understands how little protection they have. And true anonymity is much, much harder than you think.

If you act in certain ways, you will probably not get in trouble but I have a lawyer on retainer for a reason lol

The harsh truth is you aren't protecting anything by doing this, because you can't control how (or if!) they fix the problem. All you're doing by accessing the data is for-real committing a felony, and that is an incredibly stupid thing to do.

> And true anonymity is much, much harder than you think.

You take steps that match the threat model - if it’s important enough to you.

Not everything found is.

Some things are.

Even if you were selfish: it’s your own data being leaked.

You don’t have to be Batman to want your data secure.

If you flip it, we have a dude here admitting to breaching a large number of accounts and gaining access to PII -- including PII about minors.

Are we and the Maltese government just going to trust this guy and assume he has actually deleted everything, with no investigation?

If his goal was to keep the data he wouldn't have reported it?

That doesnt necessarily track. He could have stolen the data, then reported it to clear his own name. He did access more data than he needed to prove that there is a likely breach.

His name didn't need clearing.

How will you ensure the other people who were exploiting the hole have deleted their copies?

What a weird way to think about this.

Is it? if 10 people may have committed a crime, should we exonerate 1 of them because he reported it and promises he didnt do anything?

That depends on provable intent,

and your societal goals for ensuring the next exploit is reported, not ignored or shared online.