[waihtis]

Look for a www.domain-of-the-company.com/security.txt file. That's where you might find a responsible disclosure contact if the company has one (high chance they don't)

[zamnos]

https://www.netflix.com/security.txt exits, but Apple, Google, Microsoft, and Meta don't have one.

[waihtis]

That would be because I typed the url wrong, it's actually /.well-known/security.txt:

https://www.facebook.com/.well-known/security.txt

https://www.apple.com/.well-known/security.txt

https://www.amazon.com/.well-known/security.txt

https://www.google.com/.well-known/security.txt

[zamnos]

TIL! That's great!

The RFC for it came out April 22 and has backing by quite a few organizations.

https://securitytxt.org/

[tjpnz]

Doesn't seem like a widely used convention.

[waihtis]

That would be because I typed the url wrong, it's actually /.well-known/security.txt:

https://www.facebook.com/.well-known/security.txt

https://www.apple.com/.well-known/security.txt

https://www.amazon.com/.well-known/security.txt

https://www.google.com/.well-known/security.txt