What not to do
You should never send a vulnerability report from a scanner to a company. 90% of the time, these are useless by themselves and are likely to be ignored by any competent security team. The reason is that scanners can have any number of false positives, so a positive from a vulnerability scanner does not actually mean that there is a vulnerability. However, it is common for new bug premium testers to simply send vulnerability reports from scanners to companies without understanding the contents of the report, whether it is correct or even applicable. As a result, security teams often simply ignore a report coming directly from a scanner. Most bug bonus programs specifically indicate this.
What you should do
You should instead take the time to generate a vulnerability report yourself, which means that you describe the nature of the vulnerability, the steps to follow to confirm your findings, the risk this vulnerability creates for the company, even steps to mitigate the danger. That's what you should send to society, and sending something like this is almost always a good idea.
If this company does not have an established security team, it will be even less likely to understand a report from a scanner. It is therefore all the more important that you take the time that suits you. a vulnerability report detailing the vulnerability, the impact on the business, an estimate of its severity and the suggested mitigation measures. Although this is not the situation you are in, performing automated security scans on a website without explicit approval is illegal in most jurisdictions and is a bad idea in general. .
tl / dr:
Do you have to send the results of your scanner to a company? Nobecause it is often useless. What you need to do is check that the scanner does not report a false positive, then send a report detailing the vulnerability, what it can do to reproduce it, an explanation of its impact and proposed mitigation measures. You obviously should not "hack" into the system under any circumstances.