Today I tinkered around with a public API and found a security issue (SQL injection). I don't want to get in trouble and I read about cases where the owner of the site sued the reporter of an issue.
I was not looking for issues, I'm not trying to sell this issue nor selling data - I found it accidentally. I could ignore it, but before someone is using this in a harmful way, I thought: Let's ask the experts.
There is no bug bounty program, the site is probably handcrafted (no frameworks like Keystone, WordPress or something).
So I would love get some advice how to handle this?!
Thank you.
Report it from a new, random email address not connected to you in any way. Try to reach the engineers directly so it doesn't go through someone non-technical.
Barring that an email to the administrator through a contact form would work. If you're worried about how they will percieve this feedback, I'd start with a query before submitting the issue. "I noticed a potential security issue with your site. What is the best way to report it?".