MSRC (Microsoft Security Response Center) — https://msrc.microsoft.com/

They’ll close a report as “no action” if the issue isn’t related to Microsoft products. That said, in my experience they’ve been a reasonable intermediary for a few incidents I’ve reported involving government websites, especially where Microsoft software was part of the stack in some way.

For example, I’ve reported issues in multiple countries where national ID numbers are sequential. Private companies like insurers, pension funds, and banks use those IDs to look up records, but some of them didn’t verify that the JSON Web Token (JWT) used for the session actually belonged to the person whose national ID was being queried. In practice, that meant an attacker could enumerate IDs and access other citizens’ financial and personal data.

Reporting something like that directly to a government agency can be intimidating, so I reported it to Microsoft instead, since these organizations often use Azure AD B2C for customer authentication. The vulnerability itself wasn’t in Microsoft’s products, but MSRC’s reactive engineers still took ownership of triage and helped route it to the right contacts in those agencies through their existing partnerships.

National CERTs usually take up this role. I presume OP could have anonymously disclosed to the Maltese CERT, whom they already CC'd, though you'd have to check with them specifically to see if they offer that. Hackerspaces also often do this, especially if you're a member but probably also if not and they have faith that your actions were legal (best case, you can demonstrate exactly what you did, like by showing the script you ran, as OP could)

Who compensates them for the risk?

What risk? It sounds to me like the worst they could get is a subpoena to produce the identity of the reporter

Besides, it's usually governmental organizations that do this sort of thing

The risk of lawsuits like the ones threatened to be filed against this researcher.

They can also sue the pope but I don't think the pope finds that a risk worth considering either when they didn't do any hacking, legal or otherwise. How would an organization get sued for hacking when they didn't do any hacking and are merely passing on a message?

They would call it abetting. It's not as if the site doesn't know what it's disclosing.

That's why you just sell it on the black market and let it be the intermediary.

The free market at work!