Recently I discovered two medium size security hacks in an international platform that ironically enough specializes in security by means of phishing prevention.
These issues allowed me to have insight in their internal db and graphql structure and insert data that should not be there. With these hacks I could theoretically make the platform useless for some of their paying clients, but obviously I am not going to do that.
I'd like to point these out to them, but am not intending to go unpaid. How would you contact the people behind this platform with my intentions? It's important not to come off as threatening (I really mean no harm), and not to reveal the source of the issues right away.
As you might guess I have no knowledge about anything like this. If you think this is a bad idea to begin with feel free to share your thoughts as well!