Some guy on Reddit /r/netsec posted this:
You should be very careful to avoid anything that looks like extortion. Threatening public disclosure if a vulnerability is not fixed is fine in most countries with a legal system based on English Common Law. Conversely threatening disclosure if you are not paid; is illegal in those same countries. Do some research on the company you’re dealing with; have they hired security researchers in the past? Have they dealt with disclosures before? Do they have a person who is responsible for security? Be cautious and professional in your approach and clear on your goal…
Thank you laprise