This is a financial institution that manages inter-bank payment systems in South Korea.
I think when they said *trial* they meant *attempt*, which means the attack did not succeed. But a trial could also be a successful attack that was meant to test whether they could get in before the real fun starts.
So I'm not sure if the attack was successful or not, but assuming it was a successful attack...
Tell them to report it. Tell them it would be a gross violation of their due diligence, and most likely legal responsibility to not report it.
Tell them not to rely on other people to ensure their network is protected from all of the widely and freely available attack vectors.
Tell them you run a Tor relay, and as such you have no control over who does what, and provide relevant links. Point them to your Tor Exit Notice that is easily and readily available for anyone to see.
Now, if the attack wasn't successful, tell the Network Security Manager that as an inter-banking payment system provider they should expect attacks of varying degrees, but that you still have no way of controlling who does what on the Tor network.
Either way, tell them FCKeditor_Vul is easy to fix, but is entirely their responsibility. Their WYSIWYG editor has a vulnerability - how is that your fault?
Regards,
Matt Speak Freely