How do I report a security issue without getting sued?

[ADD]

Hi all,

I've found a quite bad security leak exposing a bunch of customer data in an app created by a small startup.

Its a really obvious hole. I simply made 2 accounts, and logged in with one, went to the edit page of my account containing my info (email etc.), then changed the ID in the get request to the other account's ID.

Its scary how easy this was.

I never looked at other customers data. The get url's just seemed so insecure that I had to try if this would work.

Anyway, I really want to make the issue clear to the company so they can fix it.

However, I'm worried they might nog take this so well.

I'm affraid they will take more notice to the, 'I can view all your customers data' part of my story than the 'and I'm here to help' part.

Of course I could leave a nice note in their contanct form without an email address and hope they don't keep any access logs (wouldn't be supprising at this point).

But that just doesn't seem right.

Does anyone have any advice on how to go about this? Any experiences in this area maybe?

Should I be worried at all about legal troubles?

Thanks!

[mreidiv]

Look at this thread https://forums.hak5.org/index.php?/topic/31130-how-to-tell-someone-that-their-site-is-vulnerable-to-sql-injection/

[ADD]

Tanks a lot!

Didn't come across that thread yet. Has a lot of good advice.