If you run any kind of webservice, you should set up a security@yourdomain.com email address, display it prominently on your website and make sure it gets read by an employee with a technical background.
Not convinced? As a case study, check out this post on HackerNews. The OP said he had tried to report a security vulnerability at a messaging and voice services provided, but nobody would listen to him.
The suggestions ranged from full-disclosure to emailing the CTO. I pinged the official Twitter account of the company with a link to the thread, but they brushed it off. Ironically, the company even advertises their service as a security solution on their Facebook page.
After about two hours, a member of the ops team finally chimed in on HackerNews and the issue got addressed. A little later, they also got back to me via Twitter. But the damage was done: people started telling stories of unrelated bad customer service experiences and one person said they are going to evaluate a competitor.
With a security contact prominently visible on the website, the whole thing could have been avoided.