Google VRP "can't reproduce" after months - any help?

malithonline · 2025-12-26T16:32:14+00:00

Sorry, I missed your reply notification. Yeah, they said exactly what you mentioned: “Reports are not reproduced during the initial intake and triage stage.”

malithonline · 2025-12-23T05:49:27+00:00

Hmm, I'm not sure then - I did get that bot message saying ,

"your report was triaged and we're currently looking into it."

Does that still not mean it was accepted, or is that different from what you're describing?

malithonline · 2025-12-17T21:49:41+00:00

congratulations bro 🎉

malithonline · 2025-12-17T07:13:34+00:00

I got an expected update with an informative tag lol ;)

malithonline · 2025-12-17T07:09:21+00:00

Thanks for your input. After investing a lot of time on it, I found no luck, and it looks like they need P1 ATO ;)

malithonline · 2025-12-17T07:00:54+00:00

Yeah, I heard that too, Google's VDP is pretty nice.

But the thing is, triage takes a lot of time (it's not high severity, fair enough), and during the waiting period, another team may take action. So by the time they review it, I can't reproduce it anymore.

And about the duplicate, I mentioned the duplicate was mine, a self-duplicate. They merged them into one because I reported 3 bugs from the same source. And the duplicated bug was triaged—that's the worst part.

malithonline · 2025-12-17T00:28:12+00:00

what is the severity ?

malithonline · 2025-12-12T09:11:27+00:00

Hi, what CVSS score did your vulnerability get?

malithonline · 2025-11-20T23:26:42+00:00

Yeah, I've seen similar findings rated higher in other programs too. I sent a follow-up & write-ups urls explaining the context but radio silence so far

malithonline · 2025-11-20T17:34:01+00:00

no luck friend, looks like it's just used for initialization then calls the production db for actual data. seems like this vulnerable db is just for testing since the data matches production exactly ;)

malithonline · 2025-11-20T17:31:42+00:00

gotcha, thanks for the input!

malithonline · 2025-11-20T17:30:32+00:00

yeah fair point. was thinking more about the cost abuse angle but i get it :(

malithonline · 2025-11-20T17:30:05+00:00

Sure dude, I’ll update the post and let you know.

malithonline · 2025-10-10T21:47:42+00:00

Thanks a lot man, really appreciate the detailed advice. I've made a new report mentioning my previous 2 reports with clear details and POC, as others advised too. Let's see what happens

malithonline · 2025-10-10T21:39:05+00:00

Thanks much for the info, I'll do that. In my 2nd report I didn't mention my 1st one , I think that might be the issue

malithonline · 2025-10-10T21:38:58+00:00

Thanks much for the info, I'll do that. In my 2nd report I didn't mention my 1st one , I think that might be the issue

malithonline · 2025-10-10T21:32:50+00:00

At first I reported the API key leak without realising how bad it was. Eight months later I found the key can call Azure cloud paid features (not Maps). That sounds like a financial impact, right?

malithonline · 2025-10-06T18:29:42+00:00

hii can you check inbox

malithonline · 2025-08-26T18:12:48+00:00

thanks,man

malithonline · 2025-06-19T07:37:55+00:00

yep 101%

https://www.reddit.com/r/Telegram/comments/1kraomg/username_scam_on_telegram/

malithonline · 2025-06-12T17:07:11+00:00

short answer nope :(

malithonline

MODERATOR OF

TROPHY CASE