The right course of action when finding a vulnerability in an important company is to report it to the CERT (Computer Emergency Readiness Team), who can then contact that company and sort it out.