What are good, safe, not necessarily anonymous ways to disclose vulnerabilities?

Question

Let's assume you stumble across a vulnerability in some online system, which is a commercial product by a small US company (1 to 50 employees according to Glassdoor). That online system shall be hosted for some clients and sold to others. The vulnerability shall consist in unauthorized access/privilege escalation through URL manipulation, and shall allow information to leak and to be modified, with data modification a rather theoretical threat that would easily be detected: the main issue being leaking of sensitive data. It is reasonable to assume that the company would not want this problem to become public. The vendor does not seem to have a bug bounty program.

You would not want to exploit this vulnerability. Quite the contrary, you would want to make sure this vulnerability is fixed. Specifically, you would want to make sure that clients' systems are updated, and clients are informed about the potential of past leaks. (The latter is hard to detect without public disclosure.)

Ideally, you would also welcome some recognition (not necessarily money - maybe something to put onto your CV is all goes well); ideally, you would like to be thanked publicly for finding and reporting the vulnerability, alongside with a public disclosure. Obviously, you would not make monetary payments a condition for disclosure---compare Is demanding a "donation" before disclosing vulnerabilities black hat behavior?

I understand that contacting the clients would not be ideal, to say the least---compare Contacting customers of vulnerable software, is it wrong?

I also understand that in the US (assume you are not US-based, but might want to travel there), even modifying a URL can be considered illegal---compare At what point does "hacking" become illegal? (US). Therefore, one may not want to want to contact the company with a real name, at least to begin with.

So, what are good and safe ways? The following alternative solutions came to my mind (these are four individual ideas---not four steps of one idea):

1. Write an anonymous email (through Tor etc.).

2. Convince the company that a bug bounty program was in their best interest. Wait for it to begin, then disclose through the bug bounty program. This would have the benefit of at least some legal protection for the disclosing party, as I understand it.

3. Disclose through openbugbounty.org. Publicly disclose after 90 days.

4. Reserve a CVE to later prove that one is the discloser.

Some questions related to the above ideas (I may break them up into individual questions if people think this makes sense):

1. I came across this comment, which sounds wrong to me:

In extortion the payment is mostly for not publicly disclosing the vulnerability, not so much for its private disclosure. If you would just ask money for private disclosure without threatening exploiting it or public disclosure, I would not think of it as extortion.

Is this an accepted opinion?

2. How would one do that without appearing extortionary? Can one publicly disclose if the bug bounty program does not imply public disclosure by the company?

3. Is that available to use for any website, or just participating websites?

4. Then what?

Answer 1

I would say that if you are withholding this information to receive recognition you are in this for the wrong reasons

Contact your local CERT and have them help you would through the disclosure process. This way you should be shielded from the company and the CERT should have a process for handling responsible disclosure between the two parties.

If you want recognition you will need to talk to the company directly or check if they have a security.txt located on their site with relevant information.

You will not get a CVE issued for a single website I'm afraid.