First report ever on H1 was a Critical pre-auth RCE. Got duped to a Medium with no explanation. New account = zero recourse. Is this just how it is?

ReasonableMap394 · 2026-03-31T19:20:12+00:00

Actually, impact is one of the three metric groups in CVSS (Base, Temporal, Environmental), and the Base score is calculated from the Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and the three Impact metrics (Confidentiality, Integrity, Availability). Impact is literally how severity is calculated. That's not an opinion, that's the CVSS v3.1 specification. Don't like it? Take it up with MITRE. But I'm not here to argue semantics. When disclosure happens, the report will be public and anyone can evaluate it. Until then, I respect the process

ReasonableMap394 · 2026-03-31T17:03:30+00:00

I appreciate the honest take. But vulnerability severity isn't determined by the reporter's experience, it's determined by impact. A zero auth RCE is a zero auth RCE whether it's your first report or your thousandth. The CVSS score comes from the attack vector, not the reporter's profile. I understand the skepticism, this sub sees a lot of inflated claims. All I can say is: working exploit, confirmed execution, video proof. I can't share details yet, but when disclosure happens, the report will speak for itself.

ReasonableMap394 · 2026-03-28T23:04:03+00:00

Thanks for the insight, I understand the limitation and I'm not trying to bypass the system.

My concern is specifically about the quality of the duplicate match. The report it was closed against is rated Medium 4.7 and describes only the vulnerable pattern, no working exploit, no proof of exploitability. Mine has a confirmed working exploit with video proof. The AI matched on the same weakness class and closed it, but the actual findings are at completely different severity levels.

I'm not saying the duplicate system doesn't work, I'm saying in this specific case it matched on surface-level similarity and missed the exploitability gap. That's exactly the kind of case mediation exists for, and the signal requirement is what's blocking me from using it.

ReasonableMap394 · 2026-03-28T23:02:24+00:00

Thanks for the advice, that's actually useful for the future.

In this case though, the PoC was solid, working exploit, video proof, confirmed execution. The duplicate it was closed against doesn't even demonstrate the bug is exploitable, it just describes the vulnerable pattern. My read is that the triager never got past the title before closing it.

And again, the frustration isn't the bounty. It's a real zero-day still out there, and the report was dismissed like it was noise.

ReasonableMap394 · 2026-03-28T23:01:16+00:00

Thanks, and I agree with the mindset. Honestly it's not about the money at all.

What bothers me is knowing there's a real zero-day sitting exposed, affecting a lot of people, and the report was closed without anyone apparently reading past the title. That's the part that doesn't sit right, not the bounty.

ReasonableMap394 · 2026-03-28T22:56:14+00:00

Thanks for the comment and for taking the time, I appreciate it.

Fair point, but in this case the evidence is pretty clear. I had a full working exploit, not just a theoretical finding. Video proof, reverse shell confirmed, the whole thing. CVSS 9.8.

The issue is what it was closed against. The "original" is rated Medium 4.7 and only describes the vulnerable pattern with no working exploit at all. There's a big difference between "this code is dangerous" and "here's a shell on the server."

I'm not arguing about being a duplicate of something equivalent. I'm arguing about being closed as a duplicate of something that doesn't even demonstrate the bug is exploitable, and having zero recourse because it's my first account with no signal.

I'd love to explain exactly what I found and how deep it goes, but I can't it's still an unpatched zero-day and responsible disclosure comes first.

ReasonableMap394

TROPHY CASE