
Ask HN: How do I report a security issue without getting sued? - madflow
I have noticed a security issue on a certain webpage. The impact is quite severe - there is user data (Credit Cards information) leaking and a user without valid credentials can access information for assumed logged in users (like Forum comments).<p>I have not tried to create or update any information on this website.<p>I am not a Security Researcher, White Hat or any color Hat Hacker. I am just a Webdev from next door.<p>So my question is: How do I report this issue to the website owner without getting sued?<p>The website contains a disclaimer that forbids &quot;Breach or otherwise circumvent any security or authentication measures&quot;. This is actually not necessary - since there is no working security or authentication measure. But still - how does one approach this properly?
======
bryanbrattlof
While I hope our industry has evolved to the point that the chances of getting
sued are pretty low, I feel that I should point you to the EFF[0] for this
kind of advice.

[0]: [https://www.eff.org/issues/coders/vulnerability-reporting-
fa...](https://www.eff.org/issues/coders/vulnerability-reporting-faq)

