As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957 RFC2142 is a pretty good RFC to follow.  It works both ways too.

For example, let's say you're running vulnerability scans against your local bank's website browsing your local bank's website and you come across what you think is a very serious vulnerability do you:

a) Jot that IP address down for later use when you need to pay off your credit card debts from the holiday season's over-indulgences.

b) Drop a friendly fact-filled note to abuse@localbank.com

or

c) Launch a media campaign to publicize the risk encouraging your readers to write letters to the Office of the Comptroller of the Currency

If one supports the idea of Responsible Disclosure the answer would be B, followed by C after an acceptable period of time.  I wouldn't recommend choice A.  Jumping straight to C is likely to annoy localbank's Incident Response team and result it happy letters from their legal departments.  Another reader points out that he feels that you should try B, and if that fails, take your business elsewhere.