Do not do this to random people's websites. Google is one of an enlightened few. You will be surprised how easy it is to piss people off just by looking for cross-site scripting; something innocuous you do is going to cause popups to appear for all their customers, and they're going to go ballistic.
Just for the record that Google announced that they allow certain checks - http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w... (actually encourage and reward - better than people publicly releasing these for sure) but even for them many vulnerabilities are still out of scope. Otherwise as you stated this is illegal in almost all countries.
People have gotten into legal trouble doing this.