Nothing. If they're unwilling to fix it, they'll end up facing the consequences when someone less scrupulous than yourself discovers it. If you do publish it, odds are they'll issue a DMCA takedown and try to sue.
If you do publish it, odds are they'll issue a DMCA takedown and try to sue.
My experience is quite to the contrary. Even Intel, as poor as their security response was, didn't try to take legal action against me. (I was lucky that I was unemployed at the time, though...)
But that is an interesting attitude. Instead of being indignant that they didn't offer to pay you for doing their security research for them ( or at least publicly thanking you) you just seem glad that they didn't sue you.
It is like volunteering to help someone and then just being glad they didn't beat you up in the end.
So it seems like there is not much benefit to doing this (there is a benefit if you prevent other people information from being stolen) but immediately there is no upside. You either get ignored or you get sued. If anyone gets sued by a company who has a full department of lawyers on retainer, it is guaranteed they'll pretty much have a bad time.
Security research is exempt from the DMCA. Even before the exemption, the DMCA applies only to vulnerabilities that circumvent content protection schemes.
Speaking from experience...