"It is incredibly hard to responsibly tell people about a vulnerability and make them fix it or let them help you fix it for free"

The same for me. But do you know what to do if company is not interested in fixing critical things. Like private data of all users which leaked because of some reasons. If they just ignore — is it legal to make full disclosure?