Putting the legal issues aside? It doesn't matter either way: security vulnerabilities trump copycats (in my opinion).
Publicly releasing details of an XSS vulnerability on a third party's site has much bigger ramifications than a copycat site. Plenty of websites deal with copycats all the time: they're frustrating, but they're not necessarily overly threatening. On the other hand, a 0 day could compromise the security of user information. In certain fields, that could completely destroy your business.
Publicly releasing details of an XSS vulnerability on a third party's site has much bigger ramifications than a copycat site. Plenty of websites deal with copycats all the time: they're frustrating, but they're not necessarily overly threatening. On the other hand, a 0 day could compromise the security of user information. In certain fields, that could completely destroy your business.