I stumbled across a huge security vulnerability in a Certificate Authority that is trusted by all modern browsers and computers.

Specifically, I am able to get a valid signed certificate for a domain I don't own. If I had the means to become a Man In The Middle, I would be able to present a perfectly valid ssl certificate.

This vulnerability required no SQL injections or coding on my part. I quite figuratively stumbled across it.

What is the proper way to report this? I want to be ethical and report it to the offending CA, but I also don't want them to simply fix the vulnerability and then sweep everything under the rug. This problem seems to have been there a while, and I'm simply not smart enough to be the only one capable of finding it.

I'm concerned that solely contacting the CA will result in a panic on their part, and they, fearing a DigiNotar-like incident, will do anything to keep the public from finding out.

Am I allowed to also contact some major players, such as other certificate authorities or other sites such as CloudFlare or Google? (I know CloudFlare was given a heads-up about HeartBleed before the public announcement went out.)

Note: I'm posting under a psuedonym account to (try to) remain anonymous for now.

Edit: This question is related to another question, but I feel this vulnerability falls outside the scope of that question. This could affect essentially the entire internet (ie everyone online is a customer), and my question explicitly states that simply contacting the 'developer' (the accepted answer for the linked question) doesn't seem like the best first step to me.

Edit 2: I've gotten in contact with some people, and they've advised me to avoid talking further on this forum (sorry guys!). I'll update this question later, after the vulnerability has been fully fixed and any incorrect certificates revoked.

Edit 3: The details are out. I've posted more information on my personal site about the specifics of the vulnerability. The story is still ongoing, and you can read the discussion between Mozilla, Google, and the CA WoSign.

Edit 4: As promised, I'm updating with a link to an article written by Ars Technica regarding this and other incidents involving WoSign. Looks like WoSign and StartCom (now owned by the same company) may be in serious danger of root revocation.