You are actually very protected in documenting security flaws, and even republishing them.

I am unsure of who you think enforces laws... as far as I know OpenAI doesn't have their own police force yet.

They can sue you of course, but they generally can't demand compliance with takedowns in this case without first going to a judge and requesting a court order.

There is no "commercial law" unless you mean UCC.. which doesn't apply here.