2025-03-17: I report a critical …

2025-03-17: I report a critical vulnerability (trivial, complete 2FA bypass) to a well-known company’s security email alias. No reply.

2025-04-07: I report it again to their bug bounty program.

2025-04-09: They close it as a duplicate.

Their bug bounty program says, basically, “we never disclose reports. Don’t discuss them with anyone.”

23 days into this episode, I’m starting to weigh the responsible thing to do here.

Related