Imagine:
Someone just called your organization’s switchboard (the only phone number they could find) and declared they had discovered what they think is a serious security problem in your product or service. They said they are planning to publish the information soon, but wanted to call you first.
What would your organization do with such advanced notice?