Ask HN: How do I disclose bugs to a company without a bug bounty program?

11 points by scott_hardy ↗ HN
I recently found bug on a large (publicly traded) company's website that can lead to personal information exposure. The bug allows you to gain a user's phone number and other personal information given only their email address.

What is the best way to contact this company and responsibly disclose these bug? They have no bug bounty program, I cannot find a dedicated email address for the developer team, and I am reluctant to email their customer support. Thanks in advance!

9 comments

[ 3.0 ms ] story [ 32.8 ms ] thread
> I am reluctant to email their customer support.

If this reluctance is out of security concerns, you could always ask for the best contact method to report security vulnerabilities without disclosing the vulnerability to that email.

Plugging their website into https://whois.icann.org/ may give you some alternative contacts if you just hate customer service.

Even though you're reluctant to email their support, you can contact them without disclosing the specific issue and just ask for their security contact (or a person who is authorized to handle this kind of issue). An alternative is to contact them by phone number, if they have one readily available. Also what MaulingMonkey pointed out, you can see if the whois gives you any more contact info.
As anonymously as possible, IMO.
I agree, in the few cases I have seen the company gets angry.
It's saddening, really. Instead of hiring you, it seems as if they're doing everything they can to stifle, or even worse, sue you.

And if you're Slack, you just pretend like it's an undocumented feature.

Post the exploit here. It will get to where it needs to go... eventually.
You could contact a well known security expert that does this kind of stuff professionally, unless you want to make a name for yourself.
Don't. Hold them for ransom. Why do you want to do charity work for for-profit businesses?