The answer is not "sweep the problem under the rug", but rather "tell people who know what theyre doing". The idea of "oh lets just pretend this security hole doesnt exist" makes me cringe.
As JCR wrote: "The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor."
If that idea makes you cringe, you should work to change our politicians because that is how the law is written. Any unauthorized access, even if the initial probe was accidental, is against the law and with the way security break-ins hurt company stock prices these days, you can be damn sure someone will come after you if it gets out, even if you weren't the one to release it.
All-in-all, don't tell people unless you have explicit, written proof of the companies consent to pentest their application because its simply not worth risking your entire life because someone in power's day is ruined by your curiosity.
As JCR wrote: "The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor."
[4] https://www.cert.org
[5] http://www.kb.cert.org/vuls/html/report-a-vulnerability/