Bug bounty SLA transparency:
A Critical-severity account takeover affecting millions of users was submitted via @hackerone on March 11, with complete attack chain and code-level evidence.
28 days: no vendor response.
Mediation requested on day 16: still pending.
Program's published SLA: 2 days.
Sharing this timeline publicly because the internal process has stalled.
Related case: 36 vulnerabilities reported to a CNA-designated fintech (1.4B users) with full PoC on 3 devices.
Vendor dismissed in one line. Legal counsel demanded takedown within 4 hours (documented: innora.ai/zfb/). 9 research articles subsequently removed. As CNA: zero CVE-IDs assigned.
CISA Root CNA dispute filed. Evidence chain preserved with timestamps.
One concrete ask:
@hackerone — please publish program-level SLA compliance rates. Researchers currently have no visibility into whether a 28-day wait is an anomaly or the norm for a given program.
Transparency builds trust. Silence erodes it.
Timeline and documentation: forthcoming on Medium.
Jiqiang Feng | Innora AI Security