People don't take bad news too well. Companies are no different.
Sorry to start on such a negative note, but it is important that you understand the mess you might be getting yourself into.
There have been a number of cases where security researchers have received threatening legal letters and even visits from the police, all for just trying to do the right thing. Telling a company that their software is broken can upset them. Rather than take responsibility for the problem, they might try to blame you. They might claim you were attempting to "hack" them or that you were trying to extort money from them. They might get lawyers involved. Getting caught up in this sort of mess can be very stressful, disruptive and time consuming.
Attrition.org maintains a list of legal threats against security researchers.
If you're really unlucky, you might not just get an angry letter from a lawyer. You could get a visit from the police. A classic example happened a couple of years ago when security professional Patrick Webster was questioned by police after notifying First State Superannuation about a direct object reference vulnerability in their online service. Think seriously about your intentions, and always act in a way that is defensible.