I don't bother with informing companies about flaws anymore (well, not that I ever really did
)...the only exceptions I would make are in context with FOSS, and there developers ask for that anyway because it's a main part of the whole idea.
and hey, what sense does it make? in the best case you will get a "thanks."...but often they either don't care at all and ignore you or even act like you are the one to blame for their sloppy security....so yes, better cut down the Jack Daniels, it obviously makes you too kind.
P.S. here's a nice one I discovered recently when trying to set up a customer site I created on their lunarpages.com "web hosting" package: they still use PHP 4.4.9, release date Aug 2008.