Have you struck out trying to connect with a contact at an organization to report a vulnerability, data leak, or other security problem?
Post a new thread in this channel starting with “CONTACT ASSISTANCE” and the folks who monitor this channel will try to assist.
Please include the following:
- The name of the organization,
- Brief description of what you need,
- Any information on what you’ve tried so far.
In particular, before you post please make sure you’ve:
- Checked for contact details via diodb, any security.txt listings that might exist, and on Bugcrowd/Hackerone/etc,
- Attempted contact/conversation via the recommended channels if available.
This is a community service so please treat it with respect. Spamming, solicitation of services, and time-wasting will not be tolerated (or treated kindly).
Hi again, I hope the community could help me.
I need to report a vulnerability to Booking.com
I tried to contact them by their website, but they don’t put it easy tbh.
DMed them in Twitter… no answer. Tagged them as well… Google dorked hoping they had a security email contact, but didn’t found anything as well.
I hope you can help me.
Thanks
1 Like
Hey @d4rkhunt3r!
This is pretty lame by them 
if you know the specific part of the framework or application, you might be able to submit an issue on their GitHub, better yet, submit a PR.
Else, you will be able to find developers who work for Booking on their GitHub and DM them on twitter.
Since they’re a holiday/seasonal and highly covid affected enterprise/company, this should be an interesting exercise!
PS: logging the issue on GitHub is also proving that you are the person or team that identified the bug.
PPS: they’re nowhere to be found on diodb/program-list.json at master · disclose/diodb · GitHub
If you do end up getting in touch with them, it would be good to submit a PR back to the diodb program database so future bounty hunters don’t have to repeat the same process!
Let us know how you go please 
1 Like
