Found what I believe is a P1 on a Bugcrowd program but triaged, patched, now complete silence for weeks. How do you cope?
Hello Good People, Need some perspective from people who've been through this. Two months in and I'm losing my mind a little.
Background
I submitted a finding to a Bugcrowd program targeting a large European company. The vulnerability was a server-side misconfiguration on a public-facing endpoint that automatically injected privileged credentials into every outgoing request no authentication required from the attacker's side whatsoever.
How It Escalated
This is where I think I made a strategic mistake and want honest feedback.
My first submission focused purely on the read-only impact unauthenticated access to sensitive internal data including employee PII. The program initially assessed it as lower severity with a "no security impact" response, which I disagreed with.
So I went back, did a deeper impact analysis, and resubmitted with stronger evidence. This time it got triaged and validated by Bugcrowd staff. Good start. Made it unresolved with point rewards.
But then I kept digging to prove the real severity. Over the following weeks I progressively demonstrated:
- Full authentication bypass with zero credentials
- Access to hundreds of thousands of customer and employee records including names, emails, phone numbers and addresses
- Confirmed unauthenticated write access to production data
- Administrative privilege escalation created and then immediately deactivated a test admin account to prove the path
- Code execution capability on the backend infrastructure
The Problem
Because I kept adding impact evidence progressively inside the same report rather than splitting into separate submissions, everything got bundled into one P2 "IDOR - View Sensitive Information" rating even though the actual impact went far beyond viewing anything.
The vulnerability has since been patched confirmed by endpoint behavior going from wide open → 502 → deliberate 403. So they read it, validated it internally, fixed it.
And then complete silence.
- Customer responded once with "we'll look into it" — nothing since
- Multiple RaRs submitted, all expired without response
- points awarded, zero bounty decision, zero severity update
- Two months and counting
My Questions
- Has anyone successfully gotten a severity upgrade from P2 to P1 after a customer goes silent post-patch?
- For those who've had similar "silent fix" experiences did you ever get paid, or did you just write it up and move on?
The finding is real, the patch is real, the silence is real. Just trying to figure out if I keep pushing or accept the lesson and move on.
Appreciate any honest feedback including if you think I handled this badly.