This one I agree with. I wouldn't use the service personally until the issue is fixed. But it is so counterproductive to find a security problem the average user wouldn't notice, and then not tell the author about it.
I wouldn't use the service even afterward. The dev didn't think about CSRF for a year. What else didn't he think about?
Don't get me wrong - I think very highly of what 'StavrosK is trying to do here, and I agree that it's counterproductive not to report an issue once found in a case like this. (There's a certain degree of nuance made necessary by the fact that kill-the-messenger reflexes make vulnerability reporting so fraught in general. But that doesn't seem likely to obtain in this case, so I'd report, probably not even anonymously.) But at this point that trust just isn't coming back.
