I found a vulnerability in a famous financial institute site. So I asked their customer care over email, how can I report it?

They said: "remove your cookies" 🤦

First line support, ”follow the script and do not think”.

Their customer care is probably fully automated - using bots powered by either human or artificial stupidity. If you actually want it getting fixed, report it to authority or make it publicly known.

In general, corporations do not fix bugs that don't affect their revenue. In the past, security breaches almost never had any negative impact on revenue. There literally is zero incentive to not just buy some snake oil to tick that box on the compliance checklist. So in the end, only pressure from a more powerful actor will actually make them fix the bug - and the state is that actor.

Check for a "/security.txt" or "/.well-known/security.txt"

Don't agree to take any "reward" or "thank you"-gift outside of a regular bountry program. It might be entrapment and they might sue you for hacking/blackmailing/etc.

You informed them. Do it again, record the interaction and say you will make the bug public in 90 days.

@Voxera code red, I repeat code red! The received message is not included in the manual. Initiating emergency protocol: panic.

@CoreFusionX has it bang on. Record your next interaction, make sure it's to any and all addresses that might be relevant so they can't deny you sent it to the wrong place (even copy the CEO in if you can find their email), give them 90 days, then go public immediately afterwards.

@Oktokolo Agree. Customer care executives are not even trained to understand technical jargons like "vulnerability". They just ignore it.

@Voxera exactly

@CoreFusionX Well! I tried to connect an ethical hacker who can make a POC and inform them in better way as I'm not expert in this area.