[Joakal]

1) Follow their contact us request (Likely an email to the general address) and make a task note in a month to review the correspondence (stateless).

2) If no reply in that timeframe, make a blog post and a recommendation to listen to security reports. Post to HN. Public shame upon them to do two things aforementioned.

I'm happy with this for my projects. I take security reports very seriously and it's the only development priority over cat pictures.

For monetary incentive: Major websites will give a reward for reporting to them.