Comment by lucb1e

Yes, this routing is common. German energy company recommended by a climate organization had a somewhat similar vulnerability and no security contact, so I call them up and.. mhm, yes, okay, is that l-e-g-a-l-@-company-dot-de? You don't want me to just send it to the IT department that can fix it? Okay I see, they will put it through, yes, thank you, bye for now!

Was a bit of a "oh god what am I getting into again" moment (also considering I don't speak legal-level German), but I knew they had nothing to stand on if they did file a complaint or court case so I followed through and they just thanked me for the report in the end and fixed it reasonably promptly. No stickers or maybe a discount as a customer, but oh well, no lawsuit either :)