When all else fails, *full disclosure (the process) seems to work.
Early in January, we sent a bunch of emails to the people at the Georgia Government, after we detected that they were hosting malware. We asked for contacts on Twitter. Nobody replied. Nothing got fixed.
Early in January, we did the same think to the guys at the Colombia Government, and nobody replied and nothing got fixed.
The good news is that after we posted in our blog, people from both governments contacted us and fixed their sites, removed the malware, etc. Awesome! They just needed a bit of attention to look at their security issues.
However, we only go to the full-disclosure route when all else fails. Early in February we detected that one of the UNDP (United Nations development program) sites were hosting malware. We asked for contacts on Twitter, got a reply and everything got fixed within a day.
Same thing with the University of Rhode Island (uri.edu). Their main site was hosting malware, and after we contacted them using the Whois information (and abuse email), everything got fixed within a day.
What to take from that? If you are a site owner, please configure your abuse@ email address, and have clear contact instructions on your site. If you are a security researcher and found something wrong, and nobody listened to you. Try full-disclosure… Blog about it and they might notice.
**Notice: I am talking about full-disclosure, the process. Not the mailing list