A discovered vulnerability should first be reported to the vendor. The vendor should then be given the opportunity to develop a patch. After the patch has been published, or in the case of an unresponsive vendor, after a certain timeframe passes, the finding should be reported to the National Vulnerability Database and made public. The Dutch National Cybersecurity Center US CERT offers a good Guide to Coordinated Vulnerability Disclosure which we recommend that you follow, setting the default disclosure timeframe to 90 days.
In order to avoid mistakes, be sure to keep your supervisor informed about the disclosure process, e.g. by carbon copying the correspondence with the vendor to your supervisor.
If the disclosure process takes longer time than your thesis project, you can still present your thesis, complete the course and receive your credits. KTH will, however, not publish the report until the disclosure process has completed.