Important:
1. Do not pass for a spammer. The appeal must be very personal.
2. Don't pass for a blackmailer.
I would describe in detail on what occasion you write.
Because otherwise:
Just yesterday, I was shown a letter from such a "notifier of vulnerabilities." It strongly looked like science fiction (ordinary people do not understand that their site can be taken under someone else's control, they only read about it in the news) and blackmail (it sounded like this: well, what are we going to do with this).
The manager, having received the letter, answered simply - "not interested." I did not bring it to the management or to the admin.
In general, this is a big problem.
PERSONALLY familiar with the owners of the site. HALF A YEAR I hammer them about vulnerability. There and spammers have already settled on their site. And they at least henna - but no: they asked how much it costs to repair. The cost of the answer apparently did not suit, they decided that I stupidly want money. I think until someone defaces them, they won't catch on.

If the office has an official (s) address (s) - send notifications to all that blah blah blah. But the reaction will be different :) depending on what kind of office and on its thickness.

I don’t know how it is now, but 15 years ago, even now, large offices suffered from bugs, it was necessary to make a very vile deface so that they started to catch it straight. I tried to get it working =)

Write to the site owner something like

Hello, are you interested in checking yours for vulnerabilities? Finding bugs will be free, if I find them, I will help fix them for a fee

Similarly, I was looking for an answer to a similar question of my own ... I sent it from "my" dark e-mail. But even "Thank you" many do not write back ... And of course, many do not even correct bugs! )) What are foreigners, what are our own ...