Overdue venting
Hey everyone, I'm really sorry about having to vent about this but im tired boss.
So I've been very active with Bugcrowd multiple submissions, never like made a big deal about duplicates, N/As (some wrongfully so, some understandable) since i've ran previous BB programs whilst being part of an internal Redteam right?
The thing is, as time advances, I'm now realizing that the level of complete incompetence or just flat-out laziness is detrimental on the platform.
Most, if not all, my submissions had to have literal hand-holding to explain everything over the course of months and since I've done pentests and executive & technical reports for higher-ups and engineering teams i know how to explain and demonstrate business impacts and repros so i know for a fact it's fairly easy to understand + i love to show them to my SO to make sure they can follow along to confirm that my submission is detailed and coherent.
Now what I'm unsure of is if it's laziness or stupidity.
recently I've been asked to TROUBLESHOOT why their setup installation wasn't working... in no way whatsoever related to my repro or vulnerability aside from the application i was testing. I had to direct the triager to the program's support team.
And now the straw that broke the camel's back, I've been studying, learning and practicing LLM testing since it's really fun and interesting and found a pretty big (keep in mind, this is my opinion) vulnerability.
it is RCE through a file analyzer for an agent. I was able to evade filters and because of the tool, the payload format and the prompt i "escaped" the direct assistant sandbox and reach the backend pod which is still a container but with a real kernel and network accesses.
I've spent weeks collecting proofs of the actual runtime, metadata, tokens, etc, etc... My first submission was littered with the triager not understanding basic LLM mechanics and LLM interaction with RCE and me showing screenshots and proofs and payloads and more. Surprise, surprise i forgot to respond to a dumb comment and they closed the submission after 6 days of me not responding. I was a bit peeved but understood that it was my fault.
Now for the kicker: i re-opened, as they requested, another submission for this with every single step, explanation, screenshot and absolutely everything i had gathered for the past couple of weeks to explain carefully all of this.
After some (ridiculously stupid) questions from the triagers and me answering and providing absolutely each step and guiding them to really make them understand as simply as possible (my 5 year old would've probably understood), they waited 16 days (this is, in my experience, absolutely very-high/CRITICAL) decided to not read ANYTHING and close it as N/A with the sole explanation of "Thank you for your submission. We're unable to identify any indication of a RCE here.".....
I have proof of running backend enumerations, i extracted source files from the Runtime to prove command execution of a real pod instance and proved Gateway manipulation (which let's you execute system code/actions on the cluster and pod manager server) in detail and once again providing screenshots and proofs.
I am at a loss for words.
Just needed to vent, for anybody saying "Yeah you probably did it wrong" or "The LLM probably hallucinated" yeah i thought of that too, so across different sessions, accounts and tenants i executed the same complex commands (as it is impossible for an AI to hallucinate the correct same circumstantial values for said commands).
Sorry for my long rant, no need to back me up or anything i was just at my absolute limit with stupidity like this. If you have another platform to recommend, please do!