Why is it that corporations don't publish their webmaster-contact information on their website?
How are we, security people, expected to contact them when we discover that their site is vulnerable to one of the OWASP Top 10 web-vulnerabilities?

Update: Finally I found it, yeuy.

Six months ago I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.

For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...

• I informed them privately of two important vulnerabilities.
• I accepted to keep the details about the fixed problem confidential as courtesy.
• I keep waiting for 6 months with many beautiful promises about a fix and access to the beta.
• I don't ask any money for these reports.

For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder.

PS: This is not related to this other problem that has already been fixed.

Edit: Mark told me another way, that gives less a blackmailing-feeling. It's kindly requesting the company to make a donation to a charity before giving them the information about the vulnerability in private. I think I'll do that next time.

Edit 2: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks. The Mobile VPN with SSL gateway generates a self-signed x.509 certificate when an IP address is assigned to the external interface of the Firebox. This certificate is presented by the gateway the first time a v10.2.3 client connects. Because the certificate is self-signed, a warning message about an “un-trusted” certificate is presented to the user the first time they connect to the Firebox. The user is given the option to confirm the certificate as trusted and save the certificate locally. Accepting the certificate as “trusted” allows the SSL client to warn the user if the certificate changes to alert the user of a possible Man in the Middle attack. [27304].

Game information:

Electrabel
2008-01-31 : Electrabel adds €125 (+taxes) of 'breaking contract' for a contract I didn't have. They inform me of this by (paper)mail.
2008-02-11 : They only transfer €158,9 instead of everything they owe me.
2008-04-03 : After many phone calls they finally admit that they still owe me €125 by sending a 'facture de cloture' without any more info.
2008-06-05 : I still don't have the money on my account. (But the phonecenter I called last week said they opened a complaint to tell the financial department to pay me back. It usually takes two weeks they say.)
2008-06-07 : Finally the money is on my bankaccount

Nuon
2008-06-04 : €802,86 has arrived on my bank account
2008-06-05 : Letter in the mailbox to say they owe me €802,86

The rules of the game: Find and explain the differences!