If/when there is an official response, it will appear on: https://www.splunk.com/page/securityportal/
UPDATE official response: https://www.splunk.com/view/SP-CAAAP5E
As of Splunk 6.6 that endpoint requires authentication: http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Prot...
As far as the "license keys" that are exposed, I don't know much about this endpoint, but to my untrained eye they look like they're hashes of the license files.
(An actual license is a signed XML file, for example see this expired license used as part of tests for the Java SDK: https://github.com/splunk/splunk-sdk-java/blob/master/tests/com/splunk/splunk_at_least_cupcake.licen... )
REST Endpoint Description: http://docs.splunk.com/Documentation/Splunk/7.1.1/RESTREF/RESTintrospect#server.2Finfo