I used to report things like this that I had found, including cases where I can see people used the default "sample" config for security purposes, but I found that either people would not care at all, or massively overreact and somehow blame me.

If an organisation is disorganised enough to leave critical details in public, they're probably too disorganised to handle someone reporting it.