|
|
|
|
|
|
by ldjb
637 days ago
|
|
|
First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form. In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use. I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person. In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them. |
|
|