
Ask HN: How do I disclose bugs to a company without a bug bounty program? - scott_hardy
I recently found bug on a large (publicly traded) company&#x27;s website that can lead to personal information exposure.  The bug allows you to gain a user&#x27;s phone number and other personal information given only their email address.<p>What is the best way to contact this company and responsibly disclose these bug?  They have no bug bounty program, I cannot find a dedicated email address for the developer team, and I am reluctant to email their customer support.  Thanks in advance!
======
pmiller2
As anonymously as possible, IMO.

~~~
Mesmoria
I agree, in the few cases I have seen the company gets angry.

~~~
joshmn
It's saddening, really. Instead of hiring you, it seems as if they're doing
everything they can to stifle, or even worse, sue you.

And if you're Slack, you just pretend like it's an undocumented feature.

------
MaulingMonkey
> I am reluctant to email their customer support.

If this reluctance is out of security concerns, you could always ask for the
best contact method to report security vulnerabilities _without_ disclosing
the vulnerability to that email.

Plugging their website into
[https://whois.icann.org/](https://whois.icann.org/) may give you some
alternative contacts if you just hate customer service.

------
yladiz
Even though you're reluctant to email their support, you can contact them
without disclosing the specific issue and just ask for their security contact
(or a person who is authorized to handle this kind of issue). An alternative
is to contact them by phone number, if they have one readily available. Also
what MaulingMonkey pointed out, you can see if the whois gives you any more
contact info.

------
NameNickHN
You could contact a well known security expert that does this kind of stuff
professionally, unless you want to make a name for yourself.

------
flukus
Post the exploit here. It will get to where it needs to go... eventually.

------
JSeymourATL
Try emailing the CIO/CTO direct. You can look up his address here >
[https://emailhunter.co/](https://emailhunter.co/)

------
alexmingoia
Don't. Hold them for ransom. Why do you want to do charity work for for-profit
businesses?

