[jacquesm]

That's a good point. If you get something out of it then it's not exactly as if you only have the public interest at heart. Which makes me wonder what would be the way to act if you found a major vulnerability in some vendors product and they point blank refuse to fix it even given plenty of time. The public good would (could?) clearly outweigh the company's interest if the hole is bad enough but it could get extremely expensive if you went public with the flaw against their wishes (assuming they know who you are and you're in a location where they can make your life hard).

This is probably very different from jurisdiction to jurisdiction, here in NL we have a government watchdog for such cases which starting 1/1/2016 will have a lot more teeth but in other countries the situation will surely be very different.

Anonymity would seem to be an asset in such cases.