Security News > 2021 > September > Serious Security: How to make sure you don’t miss bug reports!
Lots of companies these days either run bug bounties, or hire an outside company to look after bug submissions, which shows that they are genuinely interested in knowing about security vulnerabilities in their products or services.
Secondly, even researchers who do this sort of thing for a living need to know the right place to start, and having a standardised storage place for contact details makes bug reporting easier for everyone.
The problem with sending comments such as bug reports to email addresses that aren't clearly listed as "The right place to send notifications about cybersecurity issues" is that you can't be sure that the email reached anyone, or even if it did that the recipient themselves knew what to do with it.
According to news site The Register, Greig's video did get the attention of someone at McDonalds, but the company was at first inclined to treat the bug report as "Suspicious", leading to yet further delays in dealing with it.
It's currently a draft internet standard entitled A File Format to Aid in Security Vulnerability Disclosure, and the proposed system has already been accepted by IANA as what's known as a Well-Known URI. The filename is the easily-remembered security.
We're offering you three different ways to get in touch with us, from an internal email address for those who prefer direct contact, to a third-party website for those who are interested in submitting security reports to stake a formal bounty claim.