If there isn't a pressing need to do this right now, why not wait until they are older, say 16, and let them make the decision themselves? If they were born in Belgium then they may not have a strong urge to have American citizenship, particularly if they haven't lived there.

Bloody autocorrect: of course, that should read "...another country, say Ireland..."

What do you think the US government's response will be when another company, say Ireland, presents a warrant to Microsoft Ireland demanding data that's physically in a Microsoft server located in the continental US?

I would think a car manufacturer would want positive confirmation that the application of a patch was successful and on which vehicles it has been applied. If there's ever was an accident after a one-way patch deployment, they would have no way to say "no, the patch WAS applied so it's not our fault".

Science involves the finding of/discovery of facts. How those facts are acted upon or used is not the job of the scientist to waste their time with.

Einstein and the other Manhattan Project scientists might disagree with you of this. Scientists have as much an interest in how their work is being used to better society as anyone else does.

The act of reporting the vulnerability likely isn't the problem with the police. The fact that he found the vulnerability is probably what caused the problem the police. Using the website as it was intended to be used almost certainly wouldn't reveal an SQL injection vulnerability. For him to have found it meant he was doing something that may have been illegal.

Just because a website exists does not mean that you have the right to poke at it to find its vulnerabilities. Unless you've been authorized by the owners to conduct vulnerability testing, your actions will be viewed as malicious and may be illegal depending on where you live, and may result in serious consequences even if your intents were not malicious. Unfortunately, the days of something like this being viewed as "harmless" are pretty much gone.

In some ways, this reminds me of the "Kasper Holmberg incident" in Canada in 2008, in which a "well-intentioned" student at Carleton University identified a vulnerability in their student card system and exploited the vulnerability to access email accounts and financial information of a number of students so he could write a paper he sent to the university. He was charged with a number of violations of the criminal code of Canada, sanctioned by the university, and ultimately ended up dropping out of the university. The criminal charges were withdrawn several months later, but that doesn't change the fact what he did was illegal, even if it was well-intentioned.

If this is like the Texas incident, the police were there to provide support for traffic because they're likely the only ones with the authority to direct drivers to pull over. They aren't legally requiring you to participate, just to pull over.