The CERT/CC offers vulnerability coordination and disclosure services.
Misunderstanding, disagreement, or hard-to-reach vendor? Complicated supply chain, protocol vulnerability, multiple vendors involved? IoT, particularly with safety impact? Vendor is new to disclosure? Internet or other critical infrastructure affected? New or under-appreciated type of vulnerability? We can help.
XSS or CSRF in home router? Vulnerability affecting a single vendor with mature disclosure capabilities? Not so much, however we do recommend you make an attempt at coordinated disclosure.
We don't offer a bounty, just acknowledgement in our Vulnerability Notes __and a sense of altruism.
Please note: Currently we are not tracking reports using HackerOne and submitting a report will take you to our Vulnerability Reporting Form on cert.org. Our program is not meant for reports in cert.org web properties.