i agree with most of what has been said. i have found that most unsolicited audits are either ignored or are answered with hostile responses, regardless of professionalism and approach.

if that is the case, then in the end you have to decide how important it is for you that they fix it. ie. does it affect you in any way? is your information at risk? if not, then it might be better to not push the issue. on the flip side if you don't push it, and they don't fix it and someone else comes along and exploits it - they will immediately turn their eyes towards you for blame.

some things that will help establish rapport _AND_ cya. document everything you do. the source address, the time, commands issued, accounts accessed (successfully or failed), etc. these will need to be verifyable facts (target host and network logs)

at most it will validate that during that time you were not acting "maliciously" - it will NOT prove that you haven't acted in poor taste at any other time or through any other host (past, present, or future); but overall it will provide them with some form of self-evidence without relying on the words/claims of an unknown.

it might also be beneficial to seek the help of a 3rd party acting as moderator/mediator: for your own anonymity, if need be, and/or to allow the disclosure(s) to come from a trusted party.

the general security public will more than likely see this as grayhat activity. i'm not going to say it's a good or bad idea to contact the company. depending on the severity, i'm sure that there are those who have served time for much less...on the flip side there are those who get articles and what-not written up about how much the helped out xyz company (controversially). you might do some research on the general attitude of the company - previous incidents, etc.