Being more careful is an option, or owning up to it and saying "hey I just did this and noticed this thing unexpectedly happened, apparently you have an XSS here" (or whatever it was). In most cases, the organization you're reporting to is happy about this up-front information, and in the exceptional situation where someone decides to take it to court, there's a clear paper trail (backed up by access and email logs) of what actions were taken and why, making it obvious you did nothing wrong