Let's say you find an exploit in a vendors application. What's the best way to inquire about a bug bounty if one isn't already listed?

Do not ask for things. Check out what the EFF has to say on this. Maybe after a few reports, tell them about what bug bounties are and suggest that they look into starting one.

Put yourself in the vendor's shoes for a moment. They are more likely to respond well (not getting lawyers involved, giving you things, offering you a job) if you approach them with good intentions and wanting to help. Trying to blackmail them will at best get you nowhere, and at worst lead to legal trouble.

Instead of looking for an instant pay-out, invest in your future. Being able to work with vendors on this kind of thing is more valuable to future employers than a vendor without a bug bounty is going to pay you today. Maybe not every single vendor, but over time, you will have better success being helpful to the vendors who want the help. You'd be surprised what some of them will do for you if you go into the situation with the right attitude.

As for reporting, look around their website for a way to open a ticket/contact them. Ask where you can report a security vulnerability in their product. If that doesn't work, I would suggest finding a technical/leadership type that works there that can get you an official contact.

/r/AskNetsec Thread