The CFA is so broad that basically doing anything to a server that the server operator didn't anticipate is a violation. And since it was written to protect major companies' infrastructure in the 80s and 90s, the penalties are incredibly harsh.

In order to find the vulnerbility you almost certainly have to try it out. Even for an XSS, you'd have to make a JS alert box popup for yourself. And then you've technically broken the law, since you hacked the website.

Depends how you found/testes/found it. In general it's a case of being uncertain what they could do if they decided to.