If there is a law enforcement agency competent in handling such findings, this might work. Not all countries have an FBI equivalent. Many LEAs would ignore the findings as they do not know how to deal with cyber issues or they would more likely contact the company and leave it with them to handle. I can see this as being a lot more effective. The power (financial, legal and influence) is with the 'system' not the Whistle blower. The only way to skirt the power brokers is to publish with integrity and let the chips fall where they may. Forgo the credit.
This was predictable. Once people start wising up to these developers and get closer to the point of actually accusing them instead of just accepting the old worn thin "software bug" excuse, they turn to the injustice system to shut them up. My advice to researchers post your findings anonymously, then in your real blog, discuss the findings of the "anonymous researcher".