I will typically try and reach out in multiple ways to the company to initially let them know of my findings. I will search for a `.well-known/security.txt` or an official security team email. If I can't find anything, I'll try and reach out directly to people via their work email. I will then wait a couple of weeks and try to reach out once more but this time broadening my "scope" even more (sending emails to more people and repeating those I've sent initially).

If after a few weeks/months, I will try and reach out via public channels to the company (twitter, facebook, instagram).

I have yet to fail to reach out to a company (gladly) so I have thankfully never had to weigh the pros and cons of exposing a vulnerability publicly for the "greater good" of the community so I can't really say what I would do if all channel of communications failed.