[chipuni]

First, create CLEAR instructions that shows how to access the database from outside the company. It's best if you create a script.

If you have zero tolerance for risk, then print out the instructions and a copy of the script AND put the script on a thumb drive. Then mail them (physical mail, in a literal envelope) both to the company with no return address.

Then you've done your part, and you're unlikely to be sued.

Good luck.

[throwaway3DN]

Unfortunately, they don't seem to be technically oriented, their website was built in 1997... I'm not that risk averse and I'd like to help them to improve their security and development practices, I'm aiming to get in touch with them without compromising myself if they react badly.