Community-reported bug bounty scams: refused payouts, false duplicates, scope changes, ghosting, and researcher bans across HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack and self-hosted programs.
First they accepted my report as valid and decided £30 reward but after 15 days I asked updates for release the payment then they says like “this issue was incorrectly triaged”
Platform: Self-Hosted · Severity: high · Type: no-payout ·
So basically I found there npm org was exposed on a .js file then I claimed it then reported responsibly with actual code execution but they aren't ready to accept the report now they are saying remove the org otherwise they will take legal
Platform: Self-Hosted · Severity: high · Type: no-payout ·
I reported a Stored XSS vulnerability to ScanTrust. After a few weeks, they patched the issue without replying to my report. Even after the patch, some HTML injection tags are still working, which means the issue was not fully fixed.
Platform: Self-Hosted · Severity: high · Type: no-payout ·
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the search input on https://www.boat-lifestyle.com. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code in the context of a victim’s browser.
Platform: Self-Hosted · Severity: high · Type: ignored ·
I reported an IDOR (guardianx.rfgstudios.com) vulnerability that allowed an attacker to compromise victims' Discord bot ticket systems. Within 24 hours, the program responded that the issue was "not reproducible." When I retested the vu
Platform: Self-Hosted · Severity: high · Type: no-payout ·
A broken access control and business logic vulnerability allows users on a free plan to bypass premium subscription restrictions and perform organization member management actions.
Platform: Self-Hosted · Severity: high · Type: ignored ·
An Open Redirect vulnerability exists on the Proxsys website. The endpoint allows redirection to an attacker-controlled domain without proper validation. This can be abused for phishing, malware delivery, or credential theft.
Platform: Self-Hosted · Severity: medium · Type: ignored ·
So i reported a remote code execution to floatbot.ai with all the poc scripts, screenshots etc.. They fixed it the very next day and never replied after multiple follow ups ( its been 2 months)
Platform: Self-Hosted · Severity: critical · Type: ignored ·
hi, i myself admin i reported 2 bugs and at the end i recive a reply my bug accepted as p4 and got 0 bounty after that i saw other researcher's posts about this program they did the same with others a recent post by Eslam Abu Bakr
Platform: Self-Hosted · Severity: high · Type: no-payout ·
The DELETE /api/submissions/{subscriberId} endpoint on forms.plumsail.com requires ZERO authentication. Any unauthenticated attacker can permanently delete any webhook subscription by sending a single HTTP request with no credentials. T
Platform: Self-Hosted · Severity: high · Type: no-payout ·
# Zetrix Bug Bounty Program – Disputed Vulnerability Handling Account takeover,html injection,email verification,stored xss,otp bypass I reported multiple high-severity vulnerabilities to the Zetrix bug bounty program, including: * Z
Platform: Self-Hosted · Severity: high · Type: no-payout ·
bugs IDOR,Race Condition, Business Logic Bugs,Rate Limiting, Cors details Earlier this year, I began reporting security vulnerabilities in Yatra through its responsible disclosure program. My initial submissions included a rejected
Platform: Self-Hosted · Severity: critical · Type: ignored ·
I report a 5 BAC Vulns and it respond that they pause their bug bounty program and will contact with me again when launched and i wait many months and send for update but no response
Platform: Self-Hosted · Severity: medium · Type: other ·
I report a 2 vulnerability to this platform but no response to my report
Platform: Self-Hosted · Severity: high · Type: other ·
I report a BAC lead to org takover to this platform but no response to my report
Platform: Self-Hosted · Severity: critical · Type: other ·
If creating Stripe Restricted Keys were truly intended to be available to Viewers, the system would not return a 403 on the very page that contains the Create button.
Platform: Self-Hosted · Severity: medium · Type: ignored ·
I want to share my experience with a security disclosure that never received proper attention, and how it eventually ended when the entire target went offline. I responsibly reported multiple vulnerabilities to the program, including:
Platform: Self-Hosted · Severity: high · Type: ignored ·
Normally most of the program mention in the out of scope that csrf on unauthenticated endpoint or with no impact is out of scope, But csrf with impact is in scope. In wayfair they don’t accept any csrf vulnerability even if the impact is hi
Platform: HackerOne · Severity: medium · Type: ignored ·
i reported subdomain takover on june 2025 and after almost 2 months i ask for responce from email but no reply after that i contact them via whatsapp the person said i will contact you soon. its been more than a year and no responce fro
Platform: Self-Hosted · Severity: high · Type: ignored ·
All submissions reviewed before publishing.
Have a question, tip, or partnership inquiry? Reach out to us directly.
Check if a bug bounty program has scam reports
Programs with the most scam reports from the community
Enter your tracking ID to check submission status