Hi - For one of my side businesses, I have a business checking account with a fintech company. (That is, not a bank, but rather providing a user interface on top of an existing bank.) I've been plenty happy with the service (all the features I need, no fees, no hassle). In the course of using my account, I accidentally stumbled across a security bug, where the website will leak other clients' private information.<p>I tried to get in touch with some higher-ups (co-founder and lead engineer) via LinkedIn, but no luck. I emailed support asking to get connected with some higher ups to report the bug, and they thought I was asking for a job. I called support, and the rep didn't seem to understand the nature or the gravity of the security bug, and said they were forward my report to the "accounts department".<p>Anyhow, what is the normal and proper procedure you would follow to report this to the organization?<p>I appreciate the insight!
The normal way for the average company is basically what you're experiencing. Eventually you'll either get lucky and get a useful response, give up, or publish the vuln to the public.<p>In medium/large tech companies, you'll often have a security@ or a bug bounty program or some other clear way to report a vuln, but without naming the company there's not much we can do to guess how to contact them.