I've come across a serious security flaw in one of the B2B web service providers that we operate on behalf a client. Essentially, one can upload and execute arbitrary code as administrator if they monkey with the parameters in the URL. Many other organizations also this service as well, so this flaw effects their security as well.
Normally, I would report this to the software provider right away.
But, in this case the provider's UI is cumbersome, and the ability to upload our own scripts could save my team many hours of monotonous work over the course of this project. (As one example, the normal file upload system allows only one file to be uploaded at a time, even though we eventually need to upload hundreds of them. By exploiting the flaw, I could add a script that allows us to upload large batches of files)
I'm tempted to exploit the vulnerability until the project is complete and report it after our work is done. But, I worry about the ethics (and maybe legality) of doing this.
How would you handle this, all things considered?
(I'm expecting subjective answers, hence the subjective
tag, but if someone can cite real examples or links that discuss the issue in depth, I would sincerely appreciate it)
[Edit: In case it's relevant, the software provider is a content management system that provides websites primarily for nonprofit organizations. My client is one of these nonprofits.]