No, that email doesn't seem okay at all. That's extortion. A company has every right to not offer a bug bounty, and to fully prosecute you for trying to find a vulnerability (you can quibble about what "trying to find a vulnerability" means, but they have the right, like it or not). You have no right to demand payment for a perceived vulnerability in a company's infrastructure, even if they have a bug bounty program.

The most serious vulnerabilities I ever found (read: the greatest potential for exploitation) came from reports to companies without bug bounties, so I know the position you're in. But looking for payment in return for vulnerabilities outside of the context of a bug bounty sets a precedent for the wrong motivation and is inherently adversarial to the company. Do not fish for vulnerabilities, then try to hold out your report for payment. Whether or not you believe it is unethical is a matter of personal opinion I suppose (I believe it's unethical), but it is at least illegal.

Now, let me clarify: there is nothing wrong with giving a company a deadline before you go public. But 7 days is far too small of a deadline. 90 days is better. And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck.

When you find a vulnerability like this, you proceed carefully. Contact a software developer, or better yet, a security team member (if they have one) who is technically savvy enough to understand your report. It would be best to do this anonymously. Email is strongly preferable, but you can escalate to Twitter if it means being put in contact with the right person. Obviously this means asking for help with security on Twitter, not disclosing the vulnerability publicly.

> "And if you do this, you don't seek payment, you do it because you're a professional security researcher who cares about their security, not because you're trying to make a quick buck."

What if you aren't a professional security researcher, though? I'm sure there are plenty of underpaid people out there who stumble onto bugs like this every so often. Yes, asking the company to give you money on threat of revealing the bug is definitely extortion, but you are assuming a little too much in this case I believe. Some people may truly need the money.

Needing money is not in our current economic system enough cause to get it. If we are accepting the premise than extorting people this way is illegal and unethical, it doesn't become more legal because you are poor or not a professional, and probably not more ethical either.

Exactly what I was looking for, thanks. 90 days seems to ring a bell with what google is doing at the moment with microsoft, apple etc. Maybe not so much for (in this case) simply adding the http flag to your plain text user session cookie. But this is what I was looking for, best practices.

Again, thanks for the advice.

>to fully prosecute you for trying to find a vulnerability

Wouldn't that strongly depend on how you found it? E.g if a friend sends you an invite to share files on dropboks.com (hypotetical dropbox like service) and you copy and paste only part of the link, you now have access to his files (think /mergers/dove-soap but you insert /mergers/ and get to see all his mergers). In this case you stumbled on a huge security issue but how did you do anything illegal?

That sounds akin to extortion...

Edit: I should probably expand on that. Telling a company that you know about a bug but won't tell them about it if they don't pay you and instead threaten to turn it over to other parties who may have more nefarious intentions is pretty much extortion and is likely illegal.

I understand that you'd want to make money out of it, but if the company offers no bug bounty, it's no good threatening them. If you do so, it'll likely trigger a hostile response.

Reply to your edit:

Thanks.

Maybe the xxx.org came across wrong. My intention was a government organisation, nothing nefarious.

Exactly. That's how I thought it sounded.

But is it my responsibility to spend time reporting this to them? Should I leave the vulnerability for others to take advantage of, if they come across it? How do I know that others aren't already doing so?

With this specific vulnerability it could be used it to build an address book of emails, {home,work}addresses, telephone numbers etc; given the nature of the app.

Not like that. A few times I've gotten free software, twice I got some recognition, and one time I got $500. This was years ago before bug bounties were a thing. I simply emailed a technical person (once I called cause I had a prior business relationship) saying I had found a bug with security implications and I want to let them know privately, who's the best person. Always someone has been grateful at least. After you've explained everything to the right person and they get back to you, then you can ask. The $500 I did not even ask, I was assuming it would be like with the large company that simply mentioned my employer in the notice, it was from another large company, that floored me.

edit: And you're probably not going to get anything for what you found, but you'll get a thanks if you go around it right, and you'll get arrested or ignored if you don't. You might get some recognition too, and that's worth a lot when you are young.