Usually when these things are investigated it turns out the targeted company had obvious security vulnerabilities and were too obtuse to correct them. Consider a bank keeping their cash in an open box in the middle of the street. It's wrong to raid the box, but it's also irresponsible on them not to have good security in place.
Yes, and WhiteHats would raise those security concerns with the company, privately, and work with them to get it solved. If the company didn't work to fix them, that's when you raise it publicly.