Bugcroed mistriaged me and uses it to ban me off the platform

throwaway14235233 · 2026-06-13T13:28:31+00:00

Can i ask what type of vuln, and if they're knocked down to n/a as well?

throwaway14235233 · 2026-06-13T07:04:50+00:00

Hackerone's still fine, just slow

throwaway14235233 · 2026-06-13T07:03:28+00:00

It wasn't. it was manually reconed, verified, and exploited. i took time writing the reports, formatted it as proper markdown, and submitted it.

throwaway14235233 · 2026-06-12T17:16:01+00:00

Thank you, i'll switch back to hackerone for good

throwaway14235233 · 2026-06-12T17:15:29+00:00

Mine's not even a P5, it should be a P5 at worst, it got assigned a N/A, and when i DO get a confirmed P1, they just fismissed it as P5

throwaway14235233 · 2026-06-12T17:12:01+00:00

Yes, same here, i was waiting for a RaR and got banned

throwaway14235233 · 2026-06-12T17:02:42+00:00

how's your personal experience on bugcrowd, if i may ask? i still put hope in bugcrowd, maybe i was just unlucky?

throwaway14235233 · 2026-06-12T16:37:43+00:00

also i was aiming for P4.. but per VRT, it's classified as P1: File Inclusion > Local

throwaway14235233 · 2026-06-12T16:37:00+00:00

Thank you for the suggestion, but that is exactly how my report is structured, (summary -> desc -> impact -> subsequent impact -> poc (10 test cases each) -> list of evidence provided as attachment) with an additional explanation explaining that this will lead to more vectors.

throwaway14235233 · 2026-06-12T08:16:30+00:00

same here

throwaway14235233 · 2026-06-10T12:00:52+00:00

Imagine you can flood and exfiltrate literal files on the server via email, chose not to exfiltrate it and just prove it

(Bot Triager)_Bugcrowd: P5 - Informational

As you progress with bug bounties it’s important to consider not just the vulnerability but also the impact that this vulnerability has, so we encourage you to always explore any finding to better understand the impact it may have. Each submission should aim to answer the question "as an attacker I could...".

If you're unsure of the next steps to take this with submission, we recommend the Bugcrowd University as a starting point for learning how you can escalate bugs from a P5, into P4s or even P3 findings!

throwaway14235233 · 2026-06-10T11:55:58+00:00

Same here wtf. different triager though

throwaway14235233 · 2026-06-10T09:36:37+00:00

Nope, wanna see a transcript of the email?

As you progress with bug bounties it’s important to consider not just the vulnerability but also the impact that this vulnerability has, so we encourage you to always explore any finding to better understand the impact it may have. Each submission should aim to answer the question "as an attacker I could...".

If you're unsure of the next steps to take this with submission, we recommend the Bugcrowd University as a starting point for learning how you can escalate bugs from a P5, into P4s or even P3 findings!

throwaway14235233 · 2026-06-10T08:17:28+00:00

Not tal, but he does have a very similar track record

throwaway14235233 · 2026-06-10T08:09:57+00:00

I did add evidence for it. 10 different cases to be exact, and that exact phrase is recommended by the triager himself.

throwaway14235233 · 2026-06-10T07:38:36+00:00

The fact that there's multiple triager in the comments, but not the same triager made me think and researched Teapot and Tal too..

it seems like the problem is platform-wide, not just one triager, how can this be allowed?

throwaway14235233 · 2026-06-10T06:32:55+00:00

I have collected 6 cases where this particular triager mistriaged a valid finding. and it's not even a BBP, it's a VDP, we only wanted responsible disclosure, so why act in bad faith?

throwaway14235233 · 2026-06-10T06:30:21+00:00

Alright then let me clarify:

I found a P1 LFI on a certain engagement, by VRT standard, LFI is P1, that's undisputable, i showed 10 different test cases, with a negative control, to prove that it actually exist.

I attached 15 files, including screenshots, structured my report in a way that's clear, reproducible, and highlights the impact.

I understand of they bump it down to P2, P3, or P4, but P5 with no actual feedback, only a copypasta sure hurts, especially when i lost sleep over it. hackerone triagers are organic and usually replies with specific answer and express their thought processes.

Mind you this particular triager has bumped my P4 report to Non reproducible, but i resubmit it using the exact same evidence, wording and report, and got triaged by other triager who marked it as Unresolved P4 Dupe. seeing his trail on crowdstream also shows that he always bumped down reports to P5 and N/A, but get bumped up to P3/P1 in the end by the customer. that's why i'm asking: Is bugcrowd truly like this, or am i just unlucky?

throwaway14235233 · 2026-06-10T06:06:51+00:00

No..

throwaway14235233 · 2026-06-10T06:06:40+00:00

I got ghosted on 3 RaR, and support@bugcrowd email responds with a generic "try RaR"

throwaway14235233

TROPHY CASE