a. Give me enough details to reproduce the vulnerability
b. Allow me a reasonable amount of time to fix the vulnerability before making any info public
c. Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found
d. Don’t ask for compensation for your report
a. I’ll let you know I got your report
b. I’ll give you an estimate of how long the fix will take
c. I’ll tell you when I’ve fixed the vulnerability
If your vulnerability report is valid and you'd like to be recognized for your contribution, I’d love to add you to my Heroes of Rawket list, by name or anonymously.