In theory there is no difference between theory and practice, but in practice there is.

> If they haven’t, it would be ethically dubious for you to not report it.

I can report all I want, someone needs to act on that report for it to have an effect.

There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.