[msephton]

I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)

[ldjb]

First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form.

In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.

I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.

In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.

[msephton]

Thanks! Very useful advice.