Community-reported bug bounty scams: refused payouts, false duplicates, scope changes, ghosting, and researcher bans across HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack and self-hosted programs.
When i reported the serious issues affecting admin in worksapce this was reply from company : Unfortunately, this only affects the workspace in place, and no lawyer will do this ever. I’m not even sure if this even counts as a bug as t
Platform: Self-Hosted · Severity: medium · Type: ignored ·
Vuln Category: Business Logic Flaw Description: Destination Free limit of 1 Bypassed Technique: Race Condition (HTTP/2 Single-Packet Attack) Asset: www[.]streamfluent[.]ai Vulnerable endpoint: /api/destinations (POST) Impact: Leads t
Platform: Self-Hosted · Severity: medium · Type: no-payout ·
A security researcher reported a privilege escalation vulnerability in April that allowed a user to escalate privileges from Admin to Owner. The report was acknowledged and remained under review. Months later, the researcher received a s
Platform: Self-Hosted · Severity: medium · Type: false-dup ·
hi all, i reported otp bypass on 28 may 2024 and i rcvd automated reply but till now i recevd no reply from company they have 3 main domains i included all
Platform: Self-Hosted · Severity: high · Type: ignored ·
I submitted a security vulnerability report (Reference: BSECB-425) on December 31, 2025. The vulnerability was reviewed and officially validated by the security team on March 24, 2026. The team classified the issue as Low severity and ap
Platform: Self-Hosted · Severity: low · Type: no-payout ·
Hi, i reported sevral critical bugs spent almost a week hunting on this programe and after almost a year the domain projectbios.com dosnt exist email and other things including social media gone wtf
Platform: Self-Hosted · Severity: critical · Type: ignored ·
hi all, this programe offer reward but the email dosnt exist i reported a bug almost a year ago and found out the email not exist so dont waist time to find a bug and then there is no reporting option available
Platform: Self-Hosted · Severity: low · Type: other ·
hi all, i sent a reflected xss with clear poc on augest 2025 and its been almost a year and no reply from this programe. even though its vdp wtf.
Platform: Self-Hosted · Severity: medium · Type: ignored ·
hi all, i reported a html injection on alphanodus.com/sign-up in username feild which reflects on email i reported this on 22 dec 2025 and till now no responce at all please be aware and dont report any bug and dont waist your time on
Platform: Self-Hosted · Severity: medium · Type: ignored ·
First they accepted my report as valid and decided £30 reward but after 15 days I asked updates for release the payment then they says like “this issue was incorrectly triaged”
Platform: Self-Hosted · Severity: high · Type: no-payout ·
So basically I found there npm org was exposed on a .js file then I claimed it then reported responsibly with actual code execution but they aren't ready to accept the report now they are saying remove the org otherwise they will take legal
Platform: Self-Hosted · Severity: high · Type: no-payout ·
I reported a Stored XSS vulnerability to ScanTrust. After a few weeks, they patched the issue without replying to my report. Even after the patch, some HTML injection tags are still working, which means the issue was not fully fixed.
Platform: Self-Hosted · Severity: high · Type: no-payout ·
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the search input on https://www.boat-lifestyle.com. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code in the context of a victim’s browser.
Platform: Self-Hosted · Severity: high · Type: ignored ·
I reported an IDOR (guardianx.rfgstudios.com) vulnerability that allowed an attacker to compromise victims' Discord bot ticket systems. Within 24 hours, the program responded that the issue was "not reproducible." When I retested the vu
Platform: Self-Hosted · Severity: high · Type: no-payout ·
A broken access control and business logic vulnerability allows users on a free plan to bypass premium subscription restrictions and perform organization member management actions.
Platform: Self-Hosted · Severity: high · Type: ignored ·
An Open Redirect vulnerability exists on the Proxsys website. The endpoint allows redirection to an attacker-controlled domain without proper validation. This can be abused for phishing, malware delivery, or credential theft.
Platform: Self-Hosted · Severity: medium · Type: ignored ·
So i reported a remote code execution to floatbot.ai with all the poc scripts, screenshots etc.. They fixed it the very next day and never replied after multiple follow ups ( its been 2 months)
Platform: Self-Hosted · Severity: critical · Type: ignored ·
hi, i myself admin i reported 2 bugs and at the end i recive a reply my bug accepted as p4 and got 0 bounty after that i saw other researcher's posts about this program they did the same with others a recent post by Eslam Abu Bakr
Platform: Self-Hosted · Severity: high · Type: no-payout ·
The DELETE /api/submissions/{subscriberId} endpoint on forms.plumsail.com requires ZERO authentication. Any unauthenticated attacker can permanently delete any webhook subscription by sending a single HTTP request with no credentials. T
Platform: Self-Hosted · Severity: high · Type: no-payout ·
# Zetrix Bug Bounty Program – Disputed Vulnerability Handling Account takeover,html injection,email verification,stored xss,otp bypass I reported multiple high-severity vulnerabilities to the Zetrix bug bounty program, including: * Z
Platform: Self-Hosted · Severity: high · Type: no-payout ·
bugs IDOR,Race Condition, Business Logic Bugs,Rate Limiting, Cors details Earlier this year, I began reporting security vulnerabilities in Yatra through its responsible disclosure program. My initial submissions included a rejected
Platform: Self-Hosted · Severity: critical · Type: ignored ·
I report a 5 BAC Vulns and it respond that they pause their bug bounty program and will contact with me again when launched and i wait many months and send for update but no response
Platform: Self-Hosted · Severity: medium · Type: other ·
I report a 2 vulnerability to this platform but no response to my report
Platform: Self-Hosted · Severity: high · Type: other ·
I report a BAC lead to org takover to this platform but no response to my report
Platform: Self-Hosted · Severity: critical · Type: other ·
If creating Stripe Restricted Keys were truly intended to be available to Viewers, the system would not return a 403 on the very page that contains the Create button.
Platform: Self-Hosted · Severity: medium · Type: ignored ·
I want to share my experience with a security disclosure that never received proper attention, and how it eventually ended when the entire target went offline. I responsibly reported multiple vulnerabilities to the program, including:
Platform: Self-Hosted · Severity: high · Type: ignored ·
Normally most of the program mention in the out of scope that csrf on unauthenticated endpoint or with no impact is out of scope, But csrf with impact is in scope. In wayfair they don’t accept any csrf vulnerability even if the impact is hi
Platform: HackerOne · Severity: medium · Type: ignored ·
i reported subdomain takover on june 2025 and after almost 2 months i ask for responce from email but no reply after that i contact them via whatsapp the person said i will contact you soon. its been more than a year and no responce fro
Platform: Self-Hosted · Severity: high · Type: ignored ·
All submissions reviewed before publishing.
Have a question, tip, or partnership inquiry? Reach out to us directly.
Check if a bug bounty program has scam reports
Programs with the most scam reports from the community
Enter your tracking ID to check submission status