Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.
>I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.
Looks like he did some research before.
On the other hand
>On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number.
Doesn't a responsible disclosure policy contain contact infos on where to report usually?
Weirdly enough... not always.
When it comes to random companies running their own VDP vs. hiring it out, it can be less than standard despite there being lots of resources on setting it up. I've seen ones that only include a phone number, the email address listed doesn't exist anymore, etc.
Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.
No, they did not in any way break the law. As they wrote themselves:
> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.
Under New Zealand's Crimes Act, all unauthorised access is illegal. This has been used in court to cover places where someone was not pre-approved, rather than just a policy that gives an implied acceptance. It has also been used where someone has accidentally gained access via insecured systems.
I would not be so confident in stating that they did not break the law.
Any half-decent VDP will have a safe harbour clause. Otherwise ot isn't a true VDP but rather just contact details.
So far, the courts have ruled that you need to be specifically approved, by name, before any works begin. There is no safe harbour here. Your policy does not overrule the law. You need a pre-existing relationship with the company, before you begin to look for vulnerabilities.