Reporting a vulnerability to a government agency is very dangerous, and as a guiding principle, you should never do it.

In the best-case scenario, if you don't end up with serious legal trouble, they will deny everything, cover it up, and never respond any request from you anymore.

See: https://ian.sh/tsa