If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.

Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.

I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.

I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.

I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...

Do not bother.

I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.

Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.

You could try reporting them (the exploits) anonymously to a government agency

That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...

I'd do my very best to find more of such vulns from the same problematic and aggressive companies, then sell them on the black market for pennies - or just outright leak them.

Why?

To show the stubborn, offended little snowflakes that it's better to reward your heroes than try to turn them into villains.

I bet this post will get downvoted a ton. I'm OK with that. I'm sure that a message supporting any national resistance movement during WWII would have been downvoted, too.

sell them to a vuln or exploit broker. problem solved.

Just sell it, bro.

Yup. Do not even bother.

In the black market, 0day are actually worth something.