HACKER Q&A
📣 mnehring

Proper procedure/etiquette for reporting a security bug to a fintech


Hi - For one of my side businesses, I have a business checking account with a fintech company. (That is, not a bank, but rather providing a user interface on top of an existing bank.) I've been plenty happy with the service (all the features I need, no fees, no hassle). In the course of using my account, I accidentally stumbled across a security bug, where the website will leak other clients' private information.

I tried to get in touch with some higher-ups (co-founder and lead engineer) via LinkedIn, but no luck. I emailed support asking to get connected with some higher ups to report the bug, and they thought I was asking for a job. I called support, and the rep didn't seem to understand the nature or the gravity of the security bug, and said they were forward my report to the "accounts department".

Anyhow, what is the normal and proper procedure you would follow to report this to the organization?

I appreciate the insight!

  👤 akerl_ Accepted Answer ✓
The normal way for the average company is basically what you're experiencing. Eventually you'll either get lucky and get a useful response, give up, or publish the vuln to the public.

In medium/large tech companies, you'll often have a security@ or a bug bounty program or some other clear way to report a vuln, but without naming the company there's not much we can do to guess how to contact them.