I checked HackerOne and they don't have a bug bounty program. What's the appropriate way to report this?
I wasn't doing any pen testing, I accidentally uncovered this exploit while using the website as a customer. This is a massive bank that doesn't have a history of acting ethically.