In some countries where this is the norm, like Germany, the usual route is to report the issue to journalists or to non-profits like the CCC and those then report the issue to the government agency/company. This way you won't get prosecuted for responsible disclosure. Alternatively an even safer route is to write a report and send it to them anonymously with a hard deadline on public/full disclosure, won't get any credit for the discovery this way of course.