Vulnerabilities are often found by private bug hunters. Most companies don't offer a way to submit security related reports in an easy way. Instead the only way is to contact the customer support which is normally unable to handle the request.
Related topics are:
- Personal experience with bug reporting
- Defining a tolerated scope for private security testing
- Offering a simple way to submit a report
- Dealing with reports (Bounties, Disclosure, ...)