If you find a vulnerability on a .gov service, check current-full.csv or whois (same data) to see if the domain has a security contact. Most federal (executive branch) agenicies also have a vulnerability disclosure policy. If you are unable to find a contact or receive no response from the security contact, you may email [email protected].