I recently found bug on a large (publicly traded) company's website that can lead to personal information exposure. The bug allows you to gain a user's phone number and other personal information given only their email address.<p>What is the best way to contact this company and responsibly disclose these bug? They have no bug bounty program, I cannot find a dedicated email address for the developer team, and I am reluctant to email their customer support. Thanks in advance!
> I am reluctant to email their customer support.<p>If this reluctance is out of security concerns, you could always ask for the best contact method to report security vulnerabilities <i>without</i> disclosing the vulnerability to that email.<p>Plugging their website into <a href="https://whois.icann.org/" rel="nofollow">https://whois.icann.org/</a> may give you some alternative contacts if you just hate customer service.
Even though you're reluctant to email their support, you can contact them without disclosing the specific issue and just ask for their security contact (or a person who is authorized to handle this kind of issue). An alternative is to contact them by phone number, if they have one readily available. Also what MaulingMonkey pointed out, you can see if the whois gives you any more contact info.
Try emailing the CIO/CTO direct. You can look up his address here > <a href="https://emailhunter.co/" rel="nofollow">https://emailhunter.co/</a>