I suggest you contact them in an officially looking e-mail where you point out that you haven't attacked them but rather observed how their website function and that the current structure is insecure. Make sure you point out you're doing it for free and that you're not selling any services. (Otherwise they might see it as blackmail, I've experienced that on a few occasions where I even stated it was free.)
Also, you can write to the webmaster or perhaps if they have a security department those as well, but usually you get the fastest response and activity via HR. When I've contacted administrators directly I've mostly been met with hatred or ignorance. In some cases my direct contact with e.g., the webmaster has been much appreciated though.
Some companies may take this as a personal insult or attack as well, so be prepared for whatever response they come up. Some will also say they're going to fix it, and then it won't get fixed, even a year after, and we're talking about quite serious vulnerabilities here too.
I'm an InterN0T'er