It depends how you found vuln and if BB requires disclosure. If found via normal website usage, then no. If you security test to find it and BB requires disclosure, then yes. BB = permission to test (with conditions). Security testing while violating BB terms = illegal in US.