"Hi team,
I found a vulnerability in your website and want to disclose it to you.
Let me know if you have any active bug bounty program or is there any compensation for reporting vulnerabilities?"<p>What's the correct course of action for a software team, or management, when a user asks to disclose a vulnerability they've found?
Either<p>"Hi, we do have a bug bounty program, please submit through the link here... Please note, disclosure and all further communication must be through the bug bounty portal"<p>or<p>"Hi, unfortunately we do not have a bug bounty program or other compensation, but we would love to address the vulnerability you found, please send details to ..."<p>That could be you, or a security team mailing list or whatever is appropriate.<p>Most likely, they'll tell you your site is missing browser security headers or something that they found with a vulnerability scanner, but sometimes there's good reports. Sometimes they'll try to get you to do ad-hoc compensation, which I would refuse (smells like extortion).
If you don't have a bug bounty program (sounds like you don't), be upfront about it.<p>You are probably still interested in what the user has to say, though it's most likely something caught by automated tools, so ask them if they are willing to share the details and how a vulnerability is reproduced without the expectation of a payment.<p>I do not suggest hinting how you'd check with management if you are willing to pay out a bounty (even if you are), since they might simply stall in letting you know the details even if the answer turns out to be no.<p>Ofc, it'd be good to set up a bug bounty program so you are not caught off guard the next time. Even then, 90% of things you get are unlikely to be actual vulnerabilities, but you want to know when they are.