Informing a Company of a Security Discovery?

An anonymous reader asks: "I recently found a major security flaw through serendipitous independent research. I do not want to go into details, but it could be used against certain companies and have a large negative financial impact. However, I have no wish to use this for malicious purposes, and would rather profit by helping the company fix the problem. Seeing as many researchers have been persecuted/prosecuted lately for public disclosure, what is the best way to go about informing the company and agreeing on an appropriate fee for my services, without having it look as though I am trying to extort them?"

Extortion

[earnest+murderer]

It will be hard to do that, mostly because that is the f'ing definition of extortion.

My advice. Make note of it, and move any money you need to out of their hands. Tell your friends and family. Nod sagely when the shit hits the fan.

anonymous disclosure howto

[ubiquitin]

So you want to disclose a bug to a company without fear of reprisal? Good! Don't want to take on any liability for private disclosure of a newly discovered vulnerability and disclosure is the right course of action? Here's how:

step 1: get a bootable CD that supports wireless like AnonymOS or Knoppix or Auditor Linux

step 2: find a way to randomize your laptop's wifi MAC address

step 3: go to a random coffee shop or access point for which physical access is hard to track

step 4: generate a gpg key for future use

step 5: log on to the interweb and set yourself up with a gmail or hotmail or yahoo email address with a fictional name

step 6: email your gpg private and public key to yourself for future use

step 7: notify the company using the above fictional name

step 8: sign your disclosure email with gpg, and include the public key so you can prove later it was you

step 9: don't expect to be contacted, but do check that email address from a similarly anonymous point on the network in a month or two.