Using 0days as part of pen-test?

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list.
I'm rather new to responsible disclosure, so experts may found silly my
question, but I've founded pretty interesting, so please keep reading.

A few days ago, I've identified a vulnerability in some closed-source
vendor's ftp server.
Then, days later I was requested to do pen-test against a company. While
I was information gathering, I've managed to identify that third-party
ftp daemon in one of the company's external hosts.
I wasn't pretty sure how to proceed in such a situation, but I've fal to
the temptation and exploited the flaw. That led to a 20-mins entire
network compromise, and of course proved that the network was vulnerable.
After doing that, and thinking about what I've done; I wasn't that happy
about my results.
First, I got the issue of how to report this vulnerability to the
company, without breaking the -intermediary- vendor contact and
agreement; because the vulnerability exists and its exploitable as I've
proved, but it wasn't general public knowledge the flaw is present.

I know I've braked a lot of phases of any pen-test framework, but IMHO a
blackhat will proceed exactly this way: they'll exploit the network
through its weakest link, and is my task to protect the company from the
blackhat, not from pen-testers (at least not the evil ones).

Secondly, the flaw provided me with enough information that otherwise
will take me a lot longer to achieve; so I felt the audit process has
been somehow compromised.

I think I've been clear enough, if I haven't just ask for more info.

What's the most ethical way to proceed in such a situation?

Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR
U1rhxUzEw6Z+Q7P7Vxwe9mc=
=5m9Z
-----END PGP SIGNATURE-----