You think that 2 weeks during the busiest time of the year is more than enough? When people are on vacation? Working on year-end wrap ups or prepping for new-year rollouts? During the holidays, I would say at least a month. Some states have their own laws as well.

You could avoid the possible legal entanglements by keeping your mouth and keyboard shut about the problem. If they don't want to fix it, it's on them. I'm assuming you fancy yourself a white hat hacker? YOU have no right or duty to publicize how to break into their website. If another criminally inclined hacker gets them, as I said its on them....unless you post how to do it all over the place. Then it could arguably be put on you, at least to some extent.