

Ask HN: I found a security bug. Should I report it? - po1nter

Disclaimer: English is not my native language and I&#x27;m not that good at writing.<p>Backstory:<p>I was checking my account on the website of a well known computer-related company (I&#x27;ll keep it anonymous for now) and I found out that they were giving away some games for those who purchased some piece of hardware of a another brand.<p>Long story short I found the username and password of their sendgrid account (by decompiling one of their programs) and was able to login successfully.<p>Why am I asking this question? Well, I don&#x27;t want to be sued for hacking since I&#x27;m a student and I don&#x27;t really have the money&#x2F;power to defend my self.
======
posnet
First thing is to see if the company has a bug bounty/responsible disclosure
programming. If so make sure that what you have done falls under said program.
Otherwise it is not worth the risk to you. If you still feel motivated to do
so, let them know through anonymous channels or contact a well know security
researcher who will be less of a target if said company decides to take
action.

~~~
pitchit
I'll second this. If they have any sort of security program, go ahead and
report it to them.

Otherwise, it is a bit more risky. Personally, when this has happened to me in
the past, I just send an anonymous email (over tor etc) to
security@example.com and leave it at that.

