Recently I discovered two medium size security hacks in an international platform that ironically enough specializes in security by means of phishing prevention.
These issues allowed me to have insight in their internal db and graphql structure and insert data that should not be there. With these hacks I could theoretically make the platform useless for some of their paying clients, but obviously I am not going to do that.
I'd like to point these out to them, but am not intending to go unpaid. How would you contact the people behind this platform with my intentions? It's important not to come off as threatening (I really mean no harm), and not to reveal the source of the issues right away.
As you might guess I have no knowledge about anything like this. If you think this is a bad idea to begin with feel free to share your thoughts as well!
Thats tricky.
1.) Check if they are in some bug bounty program like hackerone or bugcrowd. If they are , join those websites and route your findings through them.
OR
2.) Check if they have a bug bounty or security program. Mail your findings to their CISO or CTO. Keep a detailed findings of your write up.
OR
3.) Check where the company are located,
Check cyber security laws of your country,
Check cyber security laws of their country.
Check if they can sue you in your country .
Check if your country can protect you if you got sued.
If they can sue you & you cannot lawyer up then just forget it. The bounty is not worth the hassle. Your intentions don't matter. Even if you intend to be a responsible developer, chances are the companies are going to sue you and implicate you any losses they feel may have been caused by you.
Btw if you even want to provide responsible disclosure without getting paid, don't bother unless you can lawyer up.