Same thing happened in my friend's company and they fired the engineer who identified and exploited the permanent XSS in their competitor's website. Personally I would do the very same thing.
1. It's against the law
2. Extremely unprofessional and childish
3. There are better ways to report security vulnerabilities
Temporary lapses in judgement are exactly what "fireable offenses" are designed to prevent. Bright lines for tolerable acts, especially in regards to outside resources, help everybody know how to stay on the good side of management.
By way of example, some years ago a story went around about HP support being prohibited from suggesting a user adjust their BIOS. This was back in the day when checking BIOS to see if hard drives, ports and RAM were being detected properly (say, Win98 era), but for HP it was a fireable offense. It may not have resulted in the death of any user's computer in any given instance, but the risk of problems was great enough that they couldn't allow support people to deviate from the troubleshooting matrix in this way.
In this case it seems more a problem of ethics than policy, and no doubt Quora is not very large of a company and does not yet have stringent policies like HP's, but to argue "no harm no foul" is to set a bad precedent at the peak of a slippery slope.
Same here. But for developers who've worked at organizations like Mozilla in the past, you'd think they'd be better at handling this the way it should be rather than going script kiddy and juvenile on their own site.
1. It's against the law 2. Extremely unprofessional and childish 3. There are better ways to report security vulnerabilities