I once contacted a local government agency to ask about a bug bounty program after finding a vulnerability in their website which would not only allow me to steal login credentials for their site, but also single sign-on credentials giving me access to many other government websites in the country for the targeted user. Their response: "Many thanks for your email. All IT and security systems for [redacted] are outsourced to another company. I am sorry that we are unabel to assist you further."