Unless you have some kind of legal protection, (Work for Google Project Zero, the NSA, or live in a country with no extradition treaty with the US) always disclose anonymously. If they ignore you, full disclose.<p>Nontechnical institutions are embarrassed by security problems, and will always seek to retaliate. When they did stuff like this in the 80s, you could call it simple ignorance, but 30 years later you can only call it a durable pattern of behavior.