Responsible disclosure: report to org that can fix, give them time before public.
Disclosure options
| Approach | When |
|---|---|
| Private | Default - report, wait |
| Coordinated | Vendor slow (90 day deadline) |
| Full disclosure | Last resort after extended silence |
| Bug bounty | When org has programme |
Finding contacts
/.well-known/security.txt, [email protected], HackerOne/Bugcrowd, CERT/CC.
What responsible looks like
- Discover (within legal scope)
- Document with repro steps
- Report through preferred channel
- Wait for acknowledgement
- Don't exploit beyond demo
- Don't access real user data
- Don't disclose before agreed timeline
Bug bounty programmes
Read scope first. Out-of-scope testing = ban or legal action.
Bounties: Critical $5k-$100k+, High $1k-$15k, Medium $500-$5k, Low $100-$1k.
Writing reports
Title, summary, severity, repro steps, PoC request/response, impact, suggested fix.
Mistakes: No repro steps, scanner output without verification, out-of-scope, excessive drama, testing with real data.
Running a programme
- Create
/.well-known/security.txt - Write disclosure policy with scope and safe harbour
- Set up secure reporting channel
- Acknowledge within 1 day, triage within 3
Safe harbour: "We will not pursue legal action against good-faith researchers."
The takeaway
Report through proper channels. Clear reports with repro, PoC, impact. Respect scope. If running an app: security.txt, disclosure policy, safe harbour.