[imhoguy]

I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case. Does anybody have an experience with such way?

[bondant]

In France, you can report vulnerabilities to the ANSSI (National Cybersecurity Agency of France). The agency stays somewhat neutral between justice and the company with vulnerabilities since ANSSI must protect confidentiality of their informer. Informations can be sent by email or postal service.

http://www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-decla...

[pyroinferno]

I report all the vulnerabilities I find to the NSA. Very nice people.