It’s 10pm, do *you* know where your PGP private keys are? You may be thinking that you’re not a security professional; you won’t be the one to discover a security problem. Think again! You know what a security problem looks like: you’ve probably coded up a few yourself! Learn from your past mistakes– and mine– and prepare your software disaster kit. Hear my story about the security problem in an open source project that I found and reported, and along the way I’ll walk you through the things I wish I had known how to do before I got all worked up. We’ll go over the simplest way to encrypt your problem report using someone’s public key, how to generate a keypair for yourself so that the people you reported to can send a secure reply, and how to distribute your public key *now* so people can be sure of your identity. We’ll also discuss the many possible meanings of “responsible” in this situation, and look at some case studies of disclosures that did not go very smoothly for one or more of the users, the reporter, or the vendor. Studies show you’re 11.4 times more likely to need to report a security vulnerability than to fend off a zombie apocalypse: be ready.