Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies

The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability