Hackerone Triage - Bug validated, escalated and closed as informative
Hi, I wonder if someone could help me out. I submitted a bug to one of H1 bounty programs. The bug is a CVSS 4.0 - 9.3. The triager closed the report as INFORMATIVE with the following comment:
[HACKERONE MANAGED CASE]
---
Hey @
Thank you for your report!
After review, we have confirmed the reported behavior and identified a valid security impact.
>XXXXXXX REDACTED XXXXXXXXX
As a result, we are escalating this to the engineering team for remediation. We will keep you updated on the fix timeline.
This will not have any impact on your Signal or Reputation score. We appreciate your effort and responsible disclosure.
Kind regards,
@h1_analyst_dev
---
1 - they have confirmed that its a bug and requires remediation
2 - they said that they would keep me updated on the timeline
3 - the redacted part is the description of the bug and impact exactly as I stated and all I can say is that it has the word Critical on it.
On the other hand
1 - Message said that it wouldn't impact my signal or reputation score.
2 - Was closed as informative.
For me this clearly seems as a SOP mistake rather than a real report closure. I contacted their support but they said that they are not allowed to talk with triage and that all I can do is tag the triager and watch if they answer back. Also that a mediation will be possible when I have "Signal" but this require 3 resolved reports and the ones I have are lingering for a long time and were never resolved.
I wonder if anyone has had a similar issue and would have sugestions.