- Send a fax (yes, we've actually done this)
- Send snail mail to an executive
- If you have access to resources like LexisNexis, you can often find the names of executives in technical roles as a starting point.
- If message delivery confirmation is desired, in the US you can send certified mail with signature verification. The recipient must sign to receive the mail, and you'll get a signed receipt back.
When all that fails
Some vendors remain unreachable even after a number of reasonable good faith attempts to reach them. And by reasonable we mean considerably less than exhausting the entire list above. Some vendors just do not seem to want to be reached. That is their prerogative. We have found that experience is often the best teacher. When a vendor gets surprised by the publication of a vulnerability in their product and it is clear from the report that attempts to notify them were made but failed, it can prompt the vendor to re-evaluate their vulnerability intake and handling processes to make it easier to reach them in the future.
Providing Useful Information