The industry standard seems to be disclosure to the entity followed by a reasonable grace period, at which point the bug is disclosed to the general public (where there's room to quibble in what the definition of "reasonable" there is).
I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.
Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.
I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.
Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.