Take this scenario:
You browse the web and find a website that is vulnerable to SQL Injection. Being a good guy/gal you report the vulnerability to the site owner (if you are able to find contact details).
What do you do if no one replies back or they say thanks, but never get to fix the problem?
Start by reading the answers to these questions:
Start by trying again, possibly with a different email address (unless you received a personal confirmation, you can't be sure someone actually read your email).
If that doesn't work, I would say it depends:
There's really not much else to do - you've already performed your civic duty.
Actually, this is a widespread problem. And no matter if this is small or big website, it happens to get no feedback due to many reasons - no valid contact e-mail, no one is willing to fix, someone just doesn't feel like it is his duty.
Usually, there should be many e-mails for contact with person that is somehow responsible for website management. Pentesters try something like admin@..., security@..., and etc. Other possibility to get e-mail is from DNS whois. That was about case how to find contact.
If you got response, but no one fixes vulnerability during some time, then try to send second mail. Do not spam till death, but kindly remind about issue.
If no one replies and no possibility to get in touch with website representatives, well, then there are still three ways what you can do. Bad sign, but that is a problem of website owner - do they really care? So, at this point you can:
Points 1 and 3 are somehow risky, especially 3, but if you do really care, things can be worse. I suppose, that's it.
You can check out very identical question asked at StackOverflow Hacking and exploiting - How do you deal with any security holes you find?
There is some good answers there discusisng the ethical thing to do, the legal thing you should do and more.
