How much more plain than "Who can I contact regarding security vulnerabilities in your system" can you get? When she asked what kind of vulnerabilities, would saying, "unsecured admin panel and xss allowing for session jacking and spoofing" really have been more meaningful than what he said? Even saying "unsecured admin panel" on twitter would have sent people scrambling for it. He was attempting responsible disclosure before he turned to full disclosure.
All you guys (not targeted specifically at you here) that say 'He tried it in a clear way': Call one of the lesser technical inclined people in your family/among your friends. Tell them you've just read about a security vulnerability and wonder if they could describe what that is to one (possibly less technical inclined) people in their family/among their friends.
That's essentially what you're looking at if you throw these words at a corporate marketing (with some links to support) drone that needs to fill in his/her supervisors to make anything special happen.
