Comment by MrQuincle

MSRC (Microsoft Security Response Center) — https://msrc.microsoft.com/

They’ll close a report as “no action” if the issue isn’t related to Microsoft products. That said, in my experience they’ve been a reasonable intermediary for a few incidents I’ve reported involving government websites, especially where Microsoft software was part of the stack in some way.

For example, I’ve reported issues in multiple countries where national ID numbers are sequential. Private companies like insurers, pension funds, and banks use those IDs to look up records, but some of them didn’t verify that the JSON Web Token (JWT) used for the session actually belonged to the person whose national ID was being queried. In practice, that meant an attacker could enumerate IDs and access other citizens’ financial and personal data.

Reporting something like that directly to a government agency can be intimidating, so I reported it to Microsoft instead, since these organizations often use Azure AD B2C for customer authentication. The vulnerability itself wasn’t in Microsoft’s products, but MSRC’s reactive engineers still took ownership of triage and helped route it to the right contacts in those agencies through their existing partnerships.

National CERTs usually take up this role. I presume OP could have anonymously disclosed to the Maltese CERT, whom they already CC'd, though you'd have to check with them specifically to see if they offer that. Hackerspaces also often do this, especially if you're a member but probably also if not and they have faith that your actions were legal (best case, you can demonstrate exactly what you did, like by showing the script you ran, as OP could)

Who compensates them for the risk?