Finding a new vulnerability is exciting and, depending on the vulnerability and organization, can be lucrative. However, finding the vulnerability is only part of the process.
Reporting a vulnerability to a vendor can be difficult. Some vendors are not set up to receive vulnerability reports, and they may not be receptive to hearing about issues with their software. However, reporting vulnerabilities is vital to getting a patch created and deployed.
Finding the right contact
Sometimes, when reporting a security vulnerability to an organization, finding the right person to talk to is the biggest challenge. Not all companies have taken the time to set up a method for ethical hackers to reach out and securely report potential security issues to them.
When looking for a point of contact, some places to check include:
Bug bounty program: if an organization has set up a bug bounty program, this is the appropriate place to report any discovered vulnerabilities. A bug bounty program will include a means of securely contacting the right team, rules of engagement and potentially the opportunity for a reward. However, it is important to read and follow the program’s rules carefully, especially what is and is not considered “in scope.”