I recently visited a very popular forum that requested a login/password information through an unencrypted page. While I'm very grateful your software notified me of this risk, I'm now concerned for everyone's personal information on the website. I immediately posted a warning on the forum about my experience, and sent a message to the website staff about the likely security flaw, but am not sure about best practices in vulnerability reporting and would like your advice, recommended reading suggestions, or links.
I read the Electronic Frontiers Foundation's page on vulnerability reporting and while I know some rudimentary programming, have some professional experience in the computer industry, I'm by no means a security researcher. I do trust your software and the warning I received, so I feel the only decent thing to do is to immediately warn the affected community and website administrators, which as I said, I already did. Is there a reasonable time frame that I should expect the website admins to rectify the issue before I notify tech reporters? Or should I contact tech reporters straight away and let them make that call?