What to do when disclosure fails on site collecting sensitive data and journalists run the site?

Some journalists decided to make a site collecting sensitive data, which is concerning because they have major security holes and have not fixed them despite the proper disclosure that has already taken place. I follow the rule that if proper disclosure fails the rest goes to full disclosure without telling the company, since that doesn’t work. Einstein has defined the way most do proper disclosure as the definition of insanity. I am getting off-topic. There is more then one site that I know of with security holes that I reported to that have journalists that could destroy me collecting sensitive data, so I am not concerned about talking this publicly.

So, the next step is disclosure but I am concerned on announcing these holes because of their collective power and my potential destruction. Also, the site has already been hacked, so whether or not criminals are watching has already been defined as “Yeah, they’re watching and they could still be in the system collecting sensitive data.”

In a situation like this what on earth would you do? Staying quiet seems neglectful, but acting seems risky.

Hey Zombie,

I don’t get the bit about full disclosure failing. You said you’ve disclosed the vulnerabilities to them directly, and presumably they did nothing or just didn’t respond so then you published them? If the site is already compromised you could actually disclose that fact. It sounds like it’s just a matter of time (if it hasn’t happened already), that the contents of the site, whatever they may be, will end up infotomb or pastebin soon enough.