Caria Giovanni - HarpocratesYou demonstrate a fileless RCE chain. Complex delivery, in-memory execution, zero detections, confirmed working on multiple devices.
The vendor reviews it twice, involves engineering, then tells you:
"Your research demonstrates a complex chain for delivering and executing code."
...and closes it as 'intended behavior. Not a platform vulnerability.'
Question: is it a vulnerability?
Follow-up: does your answer change if the attack surface exists *between* components — where no single owner's scope definition covers the full chain?
Asking because I have a paper dropping soon about that.
#VRP #responsibleDisclosure #semanticGap #infosec #securityResearch
