Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).
I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.
Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:
Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!
Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!
So I sent them a simple email:
Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.
Please let me know if you have any questions.
I received a response from them, which included this:
It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.