quora.com/How-can-I-disclose-huge-security...
Bill Woodcock, Executive Director at Packet Clearing House (1994-present)
Responsible disclosure dictates that you inform the company (in writing, cc’d to their general counsel and compliance manager, being very clear that you’ve presented all the information you possess, that you’re not asking them to give you anything, that you did not come by the information illicitly, and that the communication is the last and only involvement you want to have in their problem) and simultaneously inform whatever CERT you’re a constituent of. Make sure the company and the CERT are both aware that you’ve informed each other.
At that point, it’s up to them to do the right thing, and the CERT to hold them to it and move along to public disclosure on a reasonable timeframe.
Yes, all CERTs talk to each other. If you’re unclear on any of the above, you’re welcome to contact me directly, and I can help you raise the ticket with your local CERT, since they’ll be my colleagues.