Bug Bounty: No Response?

TL;DR

You reported a bug through a company’s bounty program and haven’t received a response? This guide covers checking your report status, escalating the issue, and knowing when to consider it closed. It includes tips for both technical and non-technical users.

1. Review the Program Rules

1. Read the Scope: Double-check that the bug falls within the program’s defined scope. Many programs only accept reports for specific products or features.
2. Check Eligibility: Ensure you meet all eligibility requirements (e.g., age, location).
3. Understand Duplication Rules: See if someone else has already reported a similar issue. Most programs don’t reward duplicate submissions.
4. Review Response Times: The program documentation should state an expected response time. This is your first benchmark.

2. Check Your Report Status

Most bug bounty platforms provide a way to track the status of your submission.

1. HackerOne: Log in and navigate to your submissions. The status will be listed (e.g., New, Triaged, In Review, Closed).
2. Bugcrowd: Similar to HackerOne, check the ‘My Submissions’ section for updates.
3. Direct Programs: If you submitted directly via email or a web form, look for an auto-reply with a tracking number or link. Check your spam/junk folder!

3. Follow Up (Politely)

If the response time has passed and your report remains unacknowledged, it’s appropriate to follow up.

1. Wait a Reasonable Time: Give them at least 7-10 days *after* the stated response time before following up.
2. Reply to Your Original Submission: Use the same communication channel you initially used (e.g., HackerOne ticket, email thread).
3. Be Concise and Professional: A simple message like this is effective:

   Subject: Following Up - [Bug Title] - [Submission ID]
   
   Hi Team,
   
   Just checking in on the status of my submission regarding [briefly describe bug]. The submission ID is [submission ID].  Please let me know if you require any further information.
   
   Thanks,
   [Your Name]

4. Avoid Repeated Follow-Ups: Sending multiple messages within a short period can be counterproductive. Wait at least 3-5 days between follow-ups.

4. Escalate the Issue (If Possible)

Some programs have escalation paths.

1. Check Program Documentation: Look for a dedicated email address or contact form for escalations.
2. Contact Security Team on Social Media: As a last resort, you *might* try reaching out to the company’s security team on platforms like Twitter/X or LinkedIn. Be polite and professional; public shaming is unlikely to be effective.

5. Consider the Report Closed

Unfortunately, not all reports receive a response.

1. After Multiple Attempts: If you’ve followed up multiple times (2-3) with no response after a reasonable period (e.g., 4 weeks), it’s likely the report won’t be addressed.
2. Don’t Waste Time: Focus your efforts on other vulnerabilities and programs.
3. Learn from the Experience: Analyze your report to see if there were any issues with clarity, severity assessment, or scope.

6. Resources

• HackerOne Documentation: https://www.hackerone.com/help
• Bugcrowd Documentation: https://support.bugcrowd.com/