Same thing happened in my friend's company and they fired the engineer who identified and exploited the permanent XSS in their competitor's website. Personally I would do the very same thing.
1. It's against the law
2. Extremely unprofessional and childish
3. There are better ways to report security vulnerabilities