As underwater said, the "responsible" approach is to notify companies and give them sufficient time to fix the problem. Sometimes this is challenging, due to difficulties in establishing contact with the right people or difficulties in convincing them that the issue is serious; in such cases it might be useful to work with someone who has experience in the field -- I'm happy to help if you want.

Generally speaking, as long as you didn't do any more than was necessary to confirm that the issue existed, you're not likely to be accused of wrongdoing; working with/via someone who is recognized in the field would diminish this possibility even further, since "hey, you guys are evil" tends to be defeated very quickly by "this guy has handled lots of issues like this and nobody has ever accused him of wanting anything more than to get the issues fixed".

Just be very careful to make sure that you don't ask for money in any way (including asking them to hire you as a consultant). The best of motives can be very quickly misconstrued when the word "blackmail" comes up.

I think what is normal is to let the company know first. And also give them a test they can reproduce with the bug and also a deadline in which you are going to make public the security bug you have done. The deadline is because many companies ignore the problem until is public.

This opinion comes from reading this Chris Shifflet's article: http://shiflett.org/blog/2007/mar/my-amazon-anniversary "On this day last year, I informed Amazon about a pretty serious vulnerability and demonstrated it with a few examples and a detailed description. In the description, I explained how to exploit the infamous "1-Click" feature, causing victims to purchase items of my choosing without their knowledge or consent, and I stressed that the scope of the problem extended beyond my benign examples. After some mild prodding, I finally received a reply letting me know that my email had been received, the vulnerability had been verified, and Amazon considered fixing it a top priority.""

Google "responsible disclosure". The normal process is to inform their security contact (or more likely tech support), give them a number of weeks to reply and sufficient time to fix the issue. After you've given them a chance to address the issue feel free to publish a report.

I would phone them or make a disposable email and warn them, that way if they take the news bad they'll have a hard time hunting you down. I can't imagine why they would react badly to that in light of all the recent security issues in the media, but there's all kinds of jerks in this world.

Why don't you send an e-mail to the webmaster of the site?

If you're concerned that the company may misunderstand your intent and take some legal action against you, may be you could send an anonymous e-mail...

...and possibly include a commitment so that you can take credit for it after it's fixed? :)

True story that happened to me: while trying to look up information for a restaurant reservation, I found some security issue that would redirect user to an obscure host name. I think it was an issue of bad DNS setup with their web hosting provider. In any case, being the helpful and detail-oriented web guy, I sent their head quarter's team an email with the detail of what's wrong and a solution that should fix it. I got an email from them the next morning, and since I started my email with "While I was looking up information for a reservation..." the person arranged the reservation for me. So I thought that was that. But after the meal was done, the owner came out and thanked me personally and took care of all our drinks. And since it was a Brewery/restaurant, the beer tasted a bit sweeter :)

I've also sent another email to a small online belt buckle shop to notify them of the insecure way they were setting up Paypal on their site (again, the steps to reproduce the problem and steps to fix it). The owner emailed me back to thanked me as well as taking care of the order personally. You know, most people are just happy that you are giving them some help. Being in the hacking community, I would imagine that everyone is the same here--most of us are (overly) helpful individuals. It's in our genes. So don't fight it and do the nice thing of sending them the steps to reproduce the problem and ways you can fix it. If you feel that you should protect your anonymity, do it. But do notify them :)

If one of these days, when I make an obvious security problem, I would hope, that one of us here would shoot me an email so I can fix it immediately. And I will promise to do the same.

"Hi there, I was retyping a link to my invoice and screwed up a digit. It took to someone else's page, which seems odd. For example, my link was <link> and I accidentally typed <other link>. Not sure if this is a problem or anything, so I just wanted to bring it to your attention. I'm not sure if this is the right place to email, so please let me know that you get this."

When you make strong statements, other people often have a tendency to react strongly and defensively. I assume that the person at the other end is both competent and concerned - give them all benefits of the doubt.

If you find that isn't the case, then, and only then, you can email them and use the word "security" and talk about going public after n weeks, etc.

(I am not a lawyer.)

Simply inform them about the issue you have just seen. I wonder why would they want to think you other wise as you are just trying to help? But for the worst case, consider keeping all of your records. Just be true to yourself what you have seen and say them to solve it. If you know how to solve, possibly, you can ask them some money saying you can fix it.

In the age of any website getting hacked, take your steps carefully. But then dont make a business of this discovery, but assist. go ahead inform them by phone call, keep logs of your conversation.

Emailing the webmaster is a good way to begin. Try security@domain and hope someone checks the catchall inbox. Learn about best practices for responsible disclosure if you want to escalate.

Just use whatever contact they have on the website.

Dear <company> website team,

I am a security consultant for <my new company I made 10 seconds ago>.

While casually visiting your site, I recently found a severe security bug that not only leaks private information, but has the potential to alter a user's reservations.

Please contact me as soon as possible so I can let your technical team know about the problem (no charge, of course).

Thanks,

Me Security Consultant, <new company> <phone #>

Might as well try to get some business out of it ;-)

I found one of these and notified the IT manager of the company. It wasn't hard to get them on the phone. Then I got free stuff and many thanks in return, plus warm fuzzies.