You are a security researcher, you've discovered a critical vulnerability inside a small banking android application used by thousands of people daily.
Your proof of concept code allows you to impersonate anyone inside the application (including admins), you have basically access to everything.
How do you report your findings in such a way that the company does not legally whoop your ass in case they feel threatened by your discovery ?
As a security researcher, it is important to act responsibly when reporting vulnerabilities. The best way to report your findings is to contact the company responsible for the application, usually the vendor, and provide them with detailed information about the vulnerability. You should provide clear and concise details on the vulnerability, and how to reproduce the steps to exploit it. It is also important to provide an assessment of the severity of the vulnerability and potential impact, and to provide any proof of concept code or screenshots if necessary. You should also include a timeline for a response and resolution, and how you plan to work with the vendor to resolve the issue. It is important to be clear that you are not seeking any financial reward or compensation, and that you are acting in good faith to help improve the security of the application. Finally, you should always ensure that you have the necessary legal protection in place before you report any vulnerability.
What if I am seeking a financial reward ? How should I do it then ?
If you are seeking a financial reward for reporting the vulnerability, the first thing you should do is check if the company responsible for the application has a bug bounty program in place. Many companies offer bug bounty programs that incentivize researchers to report vulnerabilities in their applications. If the company does not have a bug bounty program, you can still request a financial reward, but you should be prepared for the possibility that the company may not agree to it.

When requesting a financial reward, it is important to be clear about your intentions and the value of your finding. Be transparent about your process and what you have discovered, including the steps you took to identify the vulnerability and how to reproduce the exploit. You should also provide details on the potential impact of the vulnerability, and how much it would cost the company if it was not addressed. Finally, you should propose a reasonable reward amount that takes into account the severity of the vulnerability and the value it brings to the company.

It is important to note that not all companies are willing to pay for vulnerability reports, and that even if a company does have a bug bounty program in place, there is no guarantee that they will offer a reward for your findings. Additionally, it is crucial that you do not attempt to extort the company or engage in any illegal activity. You should always act in good faith and within the law when reporting vulnerabilities.