I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.
I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.
Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.
I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.
Doing the right thing is admirable. Doing something that helps a little bit, when the group that you are trying to help may or may not try to destroy you, seems like its not such a great idea. If a company doesn't have a set of published procedures for reporting a bug its not worth helping them
It depends. Sometimes the organization may be handling your personal data, other times a bug in some Ukrainian tax software may be exploited and cause downtime in a global shipping company.
I realize that big incidents are probably the only way to get laypeople to care about IT security in the long run, but still it may be preferable to help averting them when possible for various quite practical reasons.
That's yet another reason to run something like Qubes OS, split up your online presence into distinct "domains" and heavily firewall each domain, only connecting it through VPNs and/or Tor in most cases.
What I would suggest is report the bug in an anonymous manner if possible. They're not going to be able to do much if you report a bug anonymously I would think? I mean in the case of people who find bugs by "accident" I mean I'm guilty of messing with a URL here or there to get the true HQ picture of a website.
I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.
Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.
I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.