I suspect that the direction of these situations often depends on how your initial email is routed internally in these organizations. If they go to a lawyer first, you will get someone who tries to fix things with the application of the law. If it goes to an engineer first, you will get someone who tries to fix it with an application of engineering. If it were me, I would have avoided involving third party regulators in the initial contact at least.
Yes, this routing is common. German energy company recommended by a climate organization had a somewhat similar vulnerability and no security contact, so I call them up and.. mhm, yes, okay, is that l-e-g-a-l-@-company-dot-de? You don't want me to just send it to the IT department that can fix it? Okay I see, they will put it through, yes, thank you, bye for now!
Was a bit of a "oh god what am I getting into again" moment (also considering I don't speak legal-level German), but I knew they had nothing to stand on if they did file a complaint or court case so I followed through and they just thanked me for the report in the end and fixed it reasonably promptly. No stickers or maybe a discount as a customer, but oh well, no lawsuit either :)
> If it were me, I would have avoided involving third party regulators in the initial contact at least.
I'm surprised to see this take only mentioned once in this thread. I think people here are not aware of the sheer amount of fraud in the "bug bounty" space. As soon as you have a public product you get at least 1 of these attempts per week of someone trying to shake you down for a disclosure that they'll disclose after you pay them something. Typically you just report them as spam and move on.
But if I got one that had some credible evidence of them reporting me to a government agency already, I'd immediately get a lawyer to send a cease and desist.
It seems like OP was trying to be a by the book law abiding citizen, but the sheer amount of fraud in this space makes it really hard to tell the difference from a cold email.
