Any number of factors can lead to difficulty in making the initial connection between a would-be reporter and the party or parties that can do something about the vulnerability they want to report. Sometimes products outlive vendors. This can even happen in open source projects where the code is still out there but the team that built it has scattered to the winds. Companies go bankrupt. People change jobs. Maybe Vendor A included a library from Vendor B, who licensed it from C, but they only got a binary executable and didn't get the source code; and Vendor C is a spinoff of a conglomerate going through bankruptcy proceedings in a different country where they don't speak your language. Things can get complicated.