And reporting to the vendor is suicidal. At least assuming the stories I hear about vulnerability disclosures are representative, which I think they are.
In their place, if I were to inform the company, I'd do it anonymously. If it was an actually important issue - as this very much looks like - I'd consider informing the building manager, HOA, the gas installation company they use, and every local journalist, all together so they know about each other - and then CC that to the vendor.
Another option can be your country's CERT. In reasonably developed countries they generally have competent enough people to understand the concept of responsible disclosure (i.e. won't try to harass you for doing a good thing), and if they realize "oh shit, this is a critical infrastructure risk" they're probably in the best position to address not just the specific case, but also drive improvements (including via regulation) across vendors.
And reporting to the vendor is suicidal. At least assuming the stories I hear about vulnerability disclosures are representative, which I think they are.
In their place, if I were to inform the company, I'd do it anonymously. If it was an actually important issue - as this very much looks like - I'd consider informing the building manager, HOA, the gas installation company they use, and every local journalist, all together so they know about each other - and then CC that to the vendor.