1.) Check if they are in some bug bounty program like hackerone or bugcrowd. If they are , join those websites and route your findings through them.
OR
2.) Check if they have a bug bounty or security program. Mail your findings to their CISO or CTO. Keep a detailed findings of your write up.
OR
3.) Check where the company are located,
Check cyber security laws of your country,
Check cyber security laws of their country.
Check if they can sue you in your country .
Check if your country can protect you if you got sued.
If they can sue you & you cannot lawyer up then just forget it. The bounty is not worth the hassle. Your intentions don't matter. Even if you intend to be a responsible developer, chances are the companies are going to sue you and implicate you any losses they feel may have been caused by you.
Btw if you even want to provide responsible disclosure without getting paid, don't bother unless you can lawyer up.
Thats tricky.
1.) Check if they are in some bug bounty program like hackerone or bugcrowd. If they are , join those websites and route your findings through them.
OR
2.) Check if they have a bug bounty or security program. Mail your findings to their CISO or CTO. Keep a detailed findings of your write up.
OR
3.) Check where the company are located,
Check cyber security laws of your country,
Check cyber security laws of their country.
Check if they can sue you in your country .
Check if your country can protect you if you got sued.
If they can sue you & you cannot lawyer up then just forget it. The bounty is not worth the hassle. Your intentions don't matter. Even if you intend to be a responsible developer, chances are the companies are going to sue you and implicate you any losses they feel may have been caused by you.
Btw if you even want to provide responsible disclosure without getting paid, don't bother unless you can lawyer up.
Awesome! Turns out they are part of HackerOne. Never heard of those sites so thank you!
Thats great news !
Also , welcome to the dark side.
Update: The issue was real but I was the second one to report it :(
Still a pretty cool experience so thanks for helping me again!