Whistle-blowing security vulnerabilities has to be handled carefully.
Some years ago,I discovered a nasty vulnerability that is present in almost all bank systems. I was developing a new system for my bank client.
Not being suicidal, I made an appointment with the bank's chairman, then I spoke to my lawyer, who arranged an appointment with the bank's principal (only) shareholder, so ended up spending half an hour with a head of state.
I notorised a statement about the weakness and then advised the head of security that there was a flaw in the systems and to drive the point home i would carry out a transaction on a certain date that would be reversed 24 hours later.
Because I had advised my client, my lawyer, my client's shareholder and security head and set out in a notorised statement what the weakness is and how I would demonstrate it, I did not get into trouble, quite the opposite, it kept me in work for many years.
You know, nobody was aware of this vulnerability until i demonstrated the problem,, and many years later it still exists, its simply too convenient. If anybody ever exploits it, its just a cost of doing business.
The lesson is - cover your arse