Yeah, this seems to be the MO of most places. So far mk is the only person who when informed about vulnerability:
1. Took me seriously.
2. Didn't threaten me with legal action.
3. Wasn't more concerned about bad press than security.
There's an electronics store in the Czech Republic where I can still, after almost four years since reporting it, waltz in and look-up the personal information (shopping history, the billing address, most of the bank details) of clients that threatened me with police. Countless fora that were so far behind with updates that a fucking single-quote SQL injection worked there, banning me for 'disruptive behaviour and vandalism'.
At this point, my only regret is that I have never found a bug on a site that openly offers rewards for reporting vulnerabilities. It's seriously not worth the hassle to report it most of the time. To this day I regret that my report to mk was done in a tone of "please do something about it, I'm you giving shit away from going black-hat with this thing", but I hope people understand where I was coming from.