[rev_bird]

>A few years ago I remember finding a very obvious, easily fixable XSS vulnerability across all of the Department of Homeland Security sites...

I think if I were in this situation today, I just wouldn't say anything. Being ignored would be one of the good outcomes; I'd be terrified of getting chucked into court for being a "HACKER AGAINST HOMELAND SECURITY."

[chris_wot]

Disclosing the vulnerability - what law could they prosecute you under?

[coldpie]

The CFA is so broad that basically doing anything to a server that the server operator didn't anticipate is a violation. And since it was written to protect major companies' infrastructure in the 80s and 90s, the penalties are incredibly harsh.

[rmc]

In order to find the vulnerbility you almost certainly have to try it out. Even for an XSS, you'd have to make a JS alert box popup for yourself. And then you've technically broken the law, since you hacked the website.

[Ntrails]

Depends how you found/testes/found it. In general it's a case of being uncertain what they could do if they decided to.

[chris_wot]

Holy Typo Batman!