As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957 RFC2142 is a pretty good RFC to follow. It works both ways too.
For example, let's say you're running vulnerability scans against your local bank's website and you come across what you think is a very serious vulnerability do you:
a) Jot that IP address down for later use when you need to pay off your credit card debts from the holiday season's over-indulgences.
b) Drop a friendly fact-filled note to firstname.lastname@example.org
c) Launch a media campaign to publicize the risk encouraging your readers to write letters to the Office of the Comptroller of the Currency
If one supports the idea of Responsible Disclosure the answer would be B, followed by C after an acceptable period of time.