
Ask HN: How best to disclose paywall loophole? - arandomwalk
Background: I&#x27;m an amateur coder at best but a solid base in my teens helped me get off the ground. That said, I often putz around on random sites.<p>Issue&#x2F;Discovery: A reasonably sized media company who has a paywall for certain content came across my screen recently. I explored the coding for the paywalled site and discovered the content was clearly available in the coding with some basic unicode cleanup needed. To test my skills I wrote a quick script and proved that I could pull the content for any of the &quot;protected&quot; pages.<p>Question: How do I best disclose the issue without getting into any trouble for discovering it? I want to be sure the hole is closed as I want them to succeed.
======
techjuice
0\. Insure you have documented the steps/workflow to find the vulnerability
and how it was exploited so tasked with fixing it can reproduce your results.
This should be very detailed with pictures, tools used and results/expected
results. If you can automate this then it is even better.

1\. Check if the site has a bug bounty program, as results submitted there
normally go directly to the security team or someone that can get the issue
resolved.

2\. If you are not able to find a bug bounty program, I would recommend
contacting the site support or using the contact form on the site.

3\. If that is unsuccessful, email/call the contact information on the
website's WHOIS query page (whois domain.tld in terminal)

4\. If that fails use twitter to send a DM to the sites social media contact.

5\. If that fails make a public post to the twitter contact (e.g. @newcontact
"Hi there, I found a pretty serious problem with your site contact me ASAP."

