With all due respect, most of the replies here are missing the most important point.
Does the company have a bug bounty policy?
No?
Then keep your mouth shut and get on with your life.
A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.
The M-29 Davy Crockett tactical nuclear recoilless rifle. (Jeep-mounted, no PALs, the rocket's flight range was less than its lethal radius of effect: the crew were supposed to fire it over a hill then dive under their jeep for cover.)
People not only imagined these things, they built them and deployed them in the stone-cold expectation of using them in anger.
That all those official denials and assurances at the time were BS and lies, serves as a good reminder for how to treat similar assurances in the present.
Does the company have a bug bounty policy?
No?
Then keep your mouth shut and get on with your life.
A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.