Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.
When it comes to random companies running their own VDP vs. hiring it out, it can be less than standard despite there being lots of resources on setting it up. I've seen ones that only include a phone number, the email address listed doesn't exist anymore, etc.
Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.
Under New Zealand's Crimes Act, all unauthorised access is illegal. This has been used in court to cover places where someone was not pre-approved, rather than just a policy that gives an implied acceptance. It has also been used where someone has accidentally gained access via insecured systems.
I would not be so confident in stating that they did not break the law.
So far, the courts have ruled that you need to be specifically approved, by name, before any works begin. There is no safe harbour here. Your policy does not overrule the law. You need a pre-existing relationship with the company, before you begin to look for vulnerabilities.
