Vendor promised CVE credits on YesWeHack, paid me out (with lower payout tier), then ghosted. Now a suspiciously similar CVE dropped with credits given to Cisco Talos. What are my options?
Hi everyone,
I need advice on how to get YesWeHack staff to intervene or review a ticket, as I don't see a "Request Mediation" button on the report interface.
The Situation:
- My Report: I submitted a Critical bug (CVSS 9.6) regarding an iOS/Android app. The vendor accepted it, paid a bounty (though underpaid by ~60% based on their own matrix), and explicitly wrote: "We will apply for a CVE on your behalf and list your name as the reporter." After the payout, they completely ghosted my follow-up messages.
- The Suspicion: A few days ago, a public CVE dropped for the exact same app. The CVE was "Reserved" just 3 days before the vendor promised me the credits in writing.
- The Dilemma: The public CVE credits Cisco Talos and the technical description is different from what I reported (it talks about unencrypted legacy APIs, whereas I reported a TLS chain validation flaw). However, given the identical timeline and app, I strongly suspect they might be related, or affecting the same component.
Since the vendor is ignoring my comments, I want YesWeHack to step in so I can get clear answers on whether this CVE is connected to my findings, and why the payout matrix wasn't respected.
My Question:
What is the best way to open a support ticket or call for mediation with YesWeHack staff when a vendor ghosts you? Has anyone experienced something similar?
Thanks!