Scam Alert: t402.io — Vendor confirmed my security report, fixed the vulnerability, requested payment details, then stopped responding
Company / Program: t402.io
Platform: Self-Hosted · Severity: high · Scam type: no-payout
Published:
Reported by: Anonymous
I responsibly disclosed a security vulnerability affecting the T402 TypeScript SDK via the security email listed in their SECURITY.md.
On April 5, the security team replied confirming that the vulnerability was valid, reproduced the issue, and deployed a fix. They also thanked me for the report and requested my preferred researcher credit and an EVM wallet address for a bug bounty payment.
I replied the next day with my requested attribution and wallet address.
After providing the requested information, I received no further response. I sent several polite follow-up emails over the following months requesting an update, but none were answered and no payment was made.
The vulnerability was acknowledged and fixed, but the bounty process was never completed.