" Of course the way the world works today; instead of taking me up on the help they would probably just contact the police."
Ok so try it this way.
Contact the company [1] [2] and tell them you believe there might be security holes in their app (and make reference to cases like starbucks while pointing out that even if they are ok on that there could be other issues) and offer to tell them the results of your testing (a written report) in exchange for your fee.
You haven't said you found anything in particular (and you haven't), haven't specifically said you've intruded and you can get paid for a security review which if written and done correctly will give the executive hiring you cover.
[1] Suggest postal letter rather than email but you could start by email I just think it will be ignored and that it's worth the stamp to get more attention.
[2] I've done similar things (not with security) and it's worked pretty well.
And it's done quite frequently by home security companies whenever there is a burglary in a particular area. "You're neighbor just had a burlary and you might be vulnerable as well!"
And the wording can be altered to suit one's taste or level of comfort.
Of course you can blaze a large "this is a solicitation across it" but I would suggest that if you aren't willing to push the envelope with marketing you are going to not make out as well. This is based on my many years of experience doing similar things. Business involves taking and assessing risks and rewards. (Everyone's level of comfort or ability to do this differs of course).
And it's not the same (nor was I suggesting) that you say to someone "hey I found a hole in your app and if you don't pay me I will publish the results of the security hole". Details matter.
By the way saying to a homeowner "I saw you have a few windows at your house that appear to be broken (that would allow entry!) and I'll tell you the broken windows if you pay me $50" is not extortion. Anymore than saying "You have an outdated HVAC and for $100 I will give you a proposal on the best system to replace it with".
Yeah, you're right, it's not extortion. That's why I said it's almost extortion. It's certainly pretty tasteless. It is a tactic used by extortioners, and I wouldn't consider doing business with someone who applied that tactic.
I would not agree that this is extortion. I would consider it to be more self-protection. If you have no intention of misuse or public release of the security flaw to the public; you are offering a no harm approach while offering a valuable service. The unfortunate situation is that the business in question does not value the service even though they should.
Most competent programmers do not have time to just go around and fix every security flaw pro bono either.
I understand it's not extortion. You'll note I never said it was extortion.
I also understand how it protects the reporter.
I'm not asking the reporter to take responsibility or do anything that would harm them, I'm asking them not to essentially make the sales pitch of "look at how your neighbor had something bad happen to them, you wouldn't want something similar to happen to you now would you?"
While debatable (depends on execution) whether it is tasteless to make money you sometimes have to get over that.
"I wouldn't consider doing business with someone who applied that tactic."
The person doing the sending isn't looking to close 100% of the people he mails to. Nor does he care what the recipient thinks. If you worry about that you will potentially miss a business opportunity.
Look think of it like using a cheezy line in a bar. Something that I've never done but I recognize that it works for some people and gets them dates. In the end approaching 100 women with a line will work better than staying home and doing nothing (assumes you can take the rejection of course).
Ok so try it this way.
Contact the company [1] [2] and tell them you believe there might be security holes in their app (and make reference to cases like starbucks while pointing out that even if they are ok on that there could be other issues) and offer to tell them the results of your testing (a written report) in exchange for your fee.
You haven't said you found anything in particular (and you haven't), haven't specifically said you've intruded and you can get paid for a security review which if written and done correctly will give the executive hiring you cover.
[1] Suggest postal letter rather than email but you could start by email I just think it will be ignored and that it's worth the stamp to get more attention.
[2] I've done similar things (not with security) and it's worked pretty well.