[pitaa]

Plus, by having a bug bounty program, it indicates that they're going to be reasonable and accepting of outside bug reports. In the absence of such a program, one can't be sure that a bug report isn't going to result in angry phone calls from tech-illiterate people accusing you of hacking them.

I recently found a compromised server on a university's network. I wasn't going to cold call them to report it because I had no idea how Betty answering the phones would react. Instead, I sent it to an IT contact that I knew personally. I knew that he didn't have anything at all to do with this, but that he would know who to get it to.

[jlgaddis]

For what it's worth, with regard to .edu's specifically, you can always report any security-related issues to REN-ISAC [0] via e-mail or telephone (anonymously, if you'd like). The "watch desk" is staffed 24 hours a day.

If the .edu is one of their 668 member institutions [1], they have designated security contacts at the .edu that they can directly get in touch with -- and, in many cases, can even wake somebody up at 3 a.m., if/when it's warranted!

Even if the .edu isn't a member, though, they'll almost certainly have an easier time getting in touch with someone with a clue that they can pass your report along to.

---

[0]: https://www.ren-isac.net

[1]: https://www.ren-isac.net/membership/MemberList.html