Vendor silently patched my report on a public repo before triaging
Hey all, looking for advice / similar experiences.
About a month ago I submitted a report to a private program on HackerOne. Critical-severity memory corruption bug with a working PoC, suggested patch included, fully reproducible.
Timeline:
- Day 0: submitted, auto-acknowledged by H1
- Day 5: transferred between two programs of the same vendor
- Day 13: I pinged for status
- Day 18: a public commit on the vendor's open-source repo landed that adds bounds checks closing exactly my bug. Commit message references something unrelated, no mention of security, no CVE, no advisory, no credit, no notification on the H1 report.
- Day 21: program lead replied on H1 saying they'd "get eyes on it soon", three days AFTER the commit was already pushed publicly. No mention of the commit.
- Day 24: report moved to Pending program review
- Today (≈30 days in): still no triage decision, no severity assignment, no bounty assessment
The public commit pretty clearly fixes my exact bug. But it's wrapped inside a commit titled as something else, which makes it look like incidental cleanup rather than a security fix.
Questions:
Has anyone been in this situation? How did it resolve?
At what point do you escalate to H1 mediation vs keep waiting?
Not looking to name-and-shame, just trying to handle this professionally. Appreciate any input.