Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.

I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.