That's a sticky situation - on one hand, the site owner could be very grateful to you for reporting this hole in the security of the site - on the other hand, you could be accused of 'hacking' (term used loosely here), and may find yourself in trouble.

Personally, if I found the hole, I'd report it to the owner - I believe in security and the owner should know about the hole...

After all, if the hole was found by one person, it can most certainly be found by several more - while the first may not take advantage of the hole, the others might, which could be bad news for the site owner..