It's only fair to publicly disclose immediately. You can't possibly alert every trustworthy company on earth.

Now, if you want a bug bounty, you have to file a report and wait a certain amount of time before you are allowed to disclose.