There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.
In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.
There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.
In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.