I've found an SQL injection vulnerability in a website and I want to go reporting it. I do have contact email, but I'm afraid that they'll sue me because I found a way to hack into their site. (No, I didn't run any SQL commands).
So... aside from staying anonymous, how should I go about reporting this one?
Any domain has an abuse address. Try contacting them there. If you are uncertain of their reaction, use an "anonymous" mailing service through a VPN and/or proxy.
First: DO NOT make it publicly known, this will just give someone the opportunity to do harm before anyone gets a chance to fix the problem.
Second: If you have the proper contact info then simply contact them and make them aware of what you found (staying anonymous could help you, if you are concerned about potential backlash, but it might also help to have a way of letting them contact you for followup). Be sure that you are contacting the proper authority. That is, the company/person who owns the website is not necessarily the person who created the code containing the vulnerability. You will want to make sure you are contacting the person(s) who will actually be in position to fix the issue.
More info can be found here: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/ This link is from WP, but the info is general enough to point you in a good direction regardless.
