But it is NOT your business to publicize how to exploit the vulnerability. If you do business with them and they do not fix it, stop doing business with them. Easy solution and the one I would use, as well as telling anyone I know not to use them. Not everyone can see the old transactions, only those who take the time to identify and exploit the vulnerability. You could go so far as to make vague references to a vulnerability in the site but even that is dangerous as it will invite the criminal hackers to find it.

