Thats far from reality. Just use the online form of BSI for disclosure. They contact the affected party for you. This way you optionally can stay anonymous and the vulnerabilities get fixed because BSI appears as the messenger.