What's the appropriate choice when you find a security vulnerability and the vendor's website tells you to submit to a bug bounty program whose terms prevent public disclosure without vendor approval?
@mjg59 Another option (I'm curious if it's obviously wrong for some reason I can't see): inform the company via snail mail and give a disclosure deadline in that mail.
@robryk I'm not paying to send a letter to Australia because someone else fucked up