Ask HN: How do I disclose bugs to a company without a bug bounty program?

[scott_hardy]

I recently found bug on a large (publicly traded) company's website that can lead to personal information exposure. The bug allows you to gain a user's phone number and other personal information given only their email address.

What is the best way to contact this company and responsibly disclose these bug? They have no bug bounty program, I cannot find a dedicated email address for the developer team, and I am reluctant to email their customer support. Thanks in advance!

[pmiller2]

As anonymously as possible, IMO.

[Mesmoria]

I agree, in the few cases I have seen the company gets angry.

[joshmn]

It's saddening, really. Instead of hiring you, it seems as if they're doing everything they can to stifle, or even worse, sue you.

And if you're Slack, you just pretend like it's an undocumented feature.

[MaulingMonkey]

> I am reluctant to email their customer support.

If this reluctance is out of security concerns, you could always ask for the best contact method to report security vulnerabilities without disclosing the vulnerability to that email.

Plugging their website into https://whois.icann.org/ may give you some alternative contacts if you just hate customer service.

[yladiz]

Even though you're reluctant to email their support, you can contact them without disclosing the specific issue and just ask for their security contact (or a person who is authorized to handle this kind of issue). An alternative is to contact them by phone number, if they have one readily available. Also what MaulingMonkey pointed out, you can see if the whois gives you any more contact info.

[NameNickHN]

You could contact a well known security expert that does this kind of stuff professionally, unless you want to make a name for yourself.

[flukus]

Post the exploit here. It will get to where it needs to go... eventually.

[JSeymourATL]

Try emailing the CIO/CTO direct. You can look up his address here > https://emailhunter.co/

[alexmingoia]

Don't. Hold them for ransom. Why do you want to do charity work for for-profit businesses?