Alternatively, document it with trusted timestamps and don't report it. Then if someone else exploits it you could parlay the media frenzy into a lot of publicity that's probably worth more than the tiny bounties many companies pay.

"Oh, we discovered that 2 years ago, but the bug bounty program didn't make it worth reporting. Want to buy a security audit?"