This just sounds like responsible disclosure to me. With added steps because the "responsible" part requires you act differently due to the possible risk involved. This is likely the best way to go, and I'd expect to see some legal advice back it up were it to actually happen such an exploit existed.