Well, if an organization/web site owner isn't answering to your request, there's not much you can do. I wouldn't in any way do anything without permission, so don't just start trying some random pentesting if they don't answer. Even if you have only good intentions and want to help, you can still be charged. I've seen it happen several times. Even employees that wants to help and "pentest" things without permission has been reported by their employer and then convicted. "Being kind" isn't a relevant/valid argument. You need written permission by someone that have the mandate within the organization to allow such operations.
Bug bounty has already been mentioned.
You could also look for a security.txt file that has contact information within the organization. Look for it at https://<URL>/.well-known/security.txt (or using http) on each website. It's not a "standard" so don't expect to find it everywhere, but a way to be able to contact website owners about vulnerabilities found. Note though that you might be considered trying to break security if you first find the vulns, then report them. It might get you into trouble. Some orgs are nice, some do things "by the book" and might report you.