I had a situation like that a few years ago.
Someone accidentally included the .git directory in a docker image that was deployed to a customer's website.
Unfortunately early checkins of the .git directory included a copy of the WordPress (yuck!) config file with hard-coded passwords. Those were moved to environment variables, but never changed. And for some reason the "developer" left indexing turned on. So the person was able to download the git directory and walk back through the history and found the passwords....and then connected to the database which had some mild PHI (first names and phone numbers).
Since the tech contact for the domain came back to my company and not the developer, they reached out to me. After a few pleasant emails back and forth he told me exactly where he found the passwords. I rotated passwords and yelled at the developer, and thanked the guy who found it. He kindly asked if I would "donate" to him by buying something from his Amazon wishlist. I should note that he asked after he told us exactly what the problem was.
I discussed it with the client and they picked some ~$400 item from the list and sent it to him.
It could have been worse, but everyone involved agreed that it would be nice to reward the guy for pointing out the blunder.
$400 was a small price to pay for the client since they do something like $10 million USD per month. After that the client paid for a full security audit of their web presence by a 3rd party company and everything came back clean.
Do what you think is appropriate, but I'm all for encouraging responsible and positive disclosure as well as being kind. If the guy had started the email with "send me money or else I'll disclose" the entire process would have been very different.
-A