[geetfun]

Contact a lawyer who represents clients for this sort of thing (if such even exists). The company in question — who knows how they will react. Even if we (all of us here on HN) know your intentions are noble, your discovery may inevitably lead to someone getting fired over this. That person may very well portray your hacking as malicious and try to divert the blame on you. Better safe than sorry.

[eerikkivistik]

I would even suggest that the lawyer contact the company on your behalf without revealing your identity. I've seen these things go sideways and if you really want to disclose, make sure your identity remains anonymous until they explicitly agree not to pursue any legal action. I'll also add that they might behave irrationally - it can take many forms (denial of a security issue, legal action, defamation of character). But I might be a bit cynical as well, been down this road in the past.

[leetbulb]

I agree with this 100%. If you absolutely must disclose the vulnerability to them, consult with a lawyer. Otherwise, forget it ever happened.

EDIT: Depending on what potentially-logged http requests your curiosity lead you through, you may want to pursue the former.

[corbpie]

Just use a throwaway/instant email and simply state whats up. No need to go looking for awards or recognition for finding vulns.