Comment by anal_reactor

Unless the company has a bug-bounty program, never ever tell them about vulnerabilities. You'll get ignored at best and have legal issues at worst. Instead, sell them on the black market. Or better yet, just give away for free if you don't care about money. That's how companies will eventually learn to at least have official vulnerability disclosure policy.