Ask HN: How do I disclose bugs to a company without a bug bounty program?
I recently found bug on a large (publicly traded) company's website that can lead to personal information exposure. The bug allows you to gain a user's phone number and other personal information given only their email address.
What is the best way to contact this company and responsibly disclose these bug? They have no bug bounty program, I cannot find a dedicated email address for the developer team, and I am reluctant to email their customer support. Thanks in advance!
9 comments
[ 3.0 ms ] story [ 32.8 ms ] threadIf this reluctance is out of security concerns, you could always ask for the best contact method to report security vulnerabilities without disclosing the vulnerability to that email.
Plugging their website into https://whois.icann.org/ may give you some alternative contacts if you just hate customer service.
And if you're Slack, you just pretend like it's an undocumented feature.