As an entrepreneur trying to start a company it’s disheartening to see someone interpret the motivations of a bootstrapped ICO the way you have. A founders might start his company with $0 and 1000+ hours of hard work. Hiring lawyers and security experts is expensive, and they only receive the millions of dollars after publishing the smart contract, so what if they aren’t wealthy enough to afford that sort of thing before launch? Your assumptions regarding a founder’s greed seem like they can’t be correct 100% of the time, so in effect every wallet you steal from has some percentage chance of being an honest developer who made a mistake and is now ruined for life because of your actions. It is clearly the wrong thing to do. The right thing to do is tell the person about the security vulnerability and then maybe ask for a tip. No?