Instead of understanding all of this, and when it does or does not apply, it's probably better to disclose vulnerabilities anonymously over Tor.
It's not worth the hassle of being forced to hire a lawyer, just to be a white hat.
replyPart of the motivation of reporting is clout and reputation. That sounds harsh or critical but for some folks their reputation directly impacts their livelihood. Sure the data controller doesn't care, but if you want to get hired or invited to conferences then the clout matters.
replyYou could use public-key encryption in your reports to reveal your identity to parties of your choosing.
reply