If you think they'd sue, you can always send the details to a tech journalist specialized in such matters (someone with a proven track record of protecting their sources). Use an anonymous email service to be sure.
If something goes wrong, they'll take the thread of legal action and probably win. Companies know that suing journalists often leads to more bad press than cooperating. They can even try to contact the company in question for you if the vulnerability is bad enough.
If the company doesn't respond or get their shit together, journalists will get a scoop and the company is forced to fix their shit. If the company does fix their shit, the journalist will still get a story out of it and you can rest easy that you've helped make the internet just a little bit safer for everyone.
If something goes wrong, they'll take the thread of legal action and probably win. Companies know that suing journalists often leads to more bad press than cooperating. They can even try to contact the company in question for you if the vulnerability is bad enough.
If the company doesn't respond or get their shit together, journalists will get a scoop and the company is forced to fix their shit. If the company does fix their shit, the journalist will still get a story out of it and you can rest easy that you've helped make the internet just a little bit safer for everyone.