I discovered a vulnerability in a product API at our company where if the product is exposed to the internet then you can exfiltrate usernames, email addresses and real names without authenticating.
I have contacted the company and they informed me they have been aware of the problem since at least 2017 and will not be fixing the issue or providing customers any additional security notifications.
I can use google to find about 5000 exposed product API's from different companies and government agencies. About 10% are configured in a way that I can pull all of this information for every user on the system with a simple script.
There is more information that you can probably pull from the API , but I stopped looking down that rabbit hole as I am scared how far it will go.
What is the more responsible way to help the security community use the information I have responsibly?