[TrackerFF]

Makes me wonder if they (points.com) have some key-word alerts on incoming emails. I know for sure that at some companies, this would have taken hours (to days!) to detect, if the tip had come through a regular info@ or contact@ inbox.

[bakje]

The article mentions a security.txt[1] which doesn't seem to contain an email address but it does contain a link[2] to a disclosure program, I'm guessing that's how they submitted all their findings?

[1] https://www.points.com/.well-known/security.txt

[2] https://bugcrowd.com/plusgrade-vdp-pro