HackerOne 'ghosted' me for months over $8,500 bug bounty, says researcher
(2026/01/07)
- Reference: 1767745039
- News link: https://www.theregister.co.uk/2026/01/07/hackerone_ghosted_researcher/
- Source link:
Last fall, Jakub Ciolek reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne's Internet Bug Bounty (IBB) program. Both were assigned CVEs and have since been fixed. But instead of receiving an $8,500 reward for the two flaws, Ciolek says, HackerOne ghosted him for months.
The open source [1]bug bounty program finally contacted Ciolek on Tuesday, but only after The Register reached out to HackerOne asking about the status of his reward payment and the IBB program in general.
HackerOne's IBB is a [2]crowdfunded bug bounty program that encourages researchers and maintainers to find and fix vulnerabilities in open source software by offering pooled cash payouts. Any organization that relies on open source code to run its technology or chains (in other words: everyone) can contribute to the bounty pool.
[3]
Once CVE-tracked vulnerabilities are fixed, the program deducts the funds automatically and issues rewards, with 80 percent of the bounty going to the hacker who reported the bug, and 20 percent to the open source project to help fund the fix.
[4]
[5]
That's how it's supposed to work, anyway.
When researchers are instead met with silence - even after CVEs are issued and fixes are shipped - it undermines confidence in the entire model
"When researchers are instead met with silence - even after CVEs are issued and fixes are shipped - it undermines confidence in the entire model," Ciolek told The Register . "A simple notice saying 'the program is inactive' would go a long way. Ghosting researchers does the opposite."
The two high-severity denial-of-service flaws, [6]CVE-2025-59538 and [7]CVE-2025-59531 , affect Argo CD, a GitOps continuous delivery tool for Kubernetes. If exploited, these issues could allow a remote attacker to crash vulnerable instances without any authentication.
The open source project's maintainers [8]fixed both vulnerabilities in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19, released on September 30, and credited Ciolek with [9]reporting the flaws.
Radio silence
Since October, Ciolek said he tried multiple times to reach someone at HackerOne to find out when and if he'll get a payout, or if the IBB program has been paused, despite still being listed as active on the website. All of these inquiries were met with radio silence, according to Ciolek. He's not some noob either – he's got some 20 bug disclosures under his belt and earned two payouts from this bounty program last year.
"I submitted the reports to HackerOne on October 30, 2025, as required by the IBB process," he told The Register . "Since then, I've repeatedly tried to get confirmation or an update from HackerOne."
[10]
This includes sending messages via the platform on November 14, November 19, and December 15, he said. He also emailed the official IBB address (ibb@hackerone.com) on December 15, and reached out to an employee on December 22.
"None of these attempts received a response," Ciolek said. "According to HackerOne's own IBB page, the last resolved report appears to be from roughly eight months ago."
On Tuesday, however, he did receive an email from HackerOne thanking him for his patience, confirming the program remains active, and noting his bug reports remain "pending reward processing due to a temporary operational backlog."
[11]
HackerOne told Ciolek it expects to resume its regularly scheduled rewards payout by the end of the first quarter or sooner.
The bug bounty platform did not respond to The Register 's inquiries.
[12]Bug bounty hunters load up to stalk AI and fancy bagging big bucks
[13]Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
[14]Curl creator mulls nixing bug bounty awards to stop AI slop
[15]AI-generated bug reports are seriously annoying for developers
While it looks like Ciolek will receive a monetary award for his time and effort, the lack of communication to researchers still presents a problem.
"Bug bounty programs run on trust and clarity," Ciolek said. "If a program is paused, defunded, or otherwise inactive, that's completely understandable – but it needs to be communicated."
"I want to stress that I don't do vulnerability research purely for money," he added. "Most of my findings come without bounties attached. But bounties matter: they help offset the time spent auditing, documenting, and responsibly disclosing issues, and they make it easier for researchers to justify working on open-source projects that don't otherwise have funding."
Ciolek also wonders if [16]AI slop is at least [17]partly to blame .
"I suspect platforms are also dealing with increased noise - including low-quality LLM-based or automated submissions," he said. "But that makes responsiveness to valid, high-signal reports even more important, not less." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[2] https://www.hackerone.com/company/internet-bug-bounty
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://nvd.nist.gov/vuln/detail/CVE-2025-59538
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-59531
[8] https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf
[9] https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2023/10/27/google_ai_bounty_hackerone/
[13] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[14] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[15] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers/
[16] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[17] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers/
[18] https://whitepapers.theregister.com/
The open source [1]bug bounty program finally contacted Ciolek on Tuesday, but only after The Register reached out to HackerOne asking about the status of his reward payment and the IBB program in general.
HackerOne's IBB is a [2]crowdfunded bug bounty program that encourages researchers and maintainers to find and fix vulnerabilities in open source software by offering pooled cash payouts. Any organization that relies on open source code to run its technology or chains (in other words: everyone) can contribute to the bounty pool.
[3]
Once CVE-tracked vulnerabilities are fixed, the program deducts the funds automatically and issues rewards, with 80 percent of the bounty going to the hacker who reported the bug, and 20 percent to the open source project to help fund the fix.
[4]
[5]
That's how it's supposed to work, anyway.
When researchers are instead met with silence - even after CVEs are issued and fixes are shipped - it undermines confidence in the entire model
"When researchers are instead met with silence - even after CVEs are issued and fixes are shipped - it undermines confidence in the entire model," Ciolek told The Register . "A simple notice saying 'the program is inactive' would go a long way. Ghosting researchers does the opposite."
The two high-severity denial-of-service flaws, [6]CVE-2025-59538 and [7]CVE-2025-59531 , affect Argo CD, a GitOps continuous delivery tool for Kubernetes. If exploited, these issues could allow a remote attacker to crash vulnerable instances without any authentication.
The open source project's maintainers [8]fixed both vulnerabilities in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19, released on September 30, and credited Ciolek with [9]reporting the flaws.
Radio silence
Since October, Ciolek said he tried multiple times to reach someone at HackerOne to find out when and if he'll get a payout, or if the IBB program has been paused, despite still being listed as active on the website. All of these inquiries were met with radio silence, according to Ciolek. He's not some noob either – he's got some 20 bug disclosures under his belt and earned two payouts from this bounty program last year.
"I submitted the reports to HackerOne on October 30, 2025, as required by the IBB process," he told The Register . "Since then, I've repeatedly tried to get confirmation or an update from HackerOne."
[10]
This includes sending messages via the platform on November 14, November 19, and December 15, he said. He also emailed the official IBB address (ibb@hackerone.com) on December 15, and reached out to an employee on December 22.
"None of these attempts received a response," Ciolek said. "According to HackerOne's own IBB page, the last resolved report appears to be from roughly eight months ago."
On Tuesday, however, he did receive an email from HackerOne thanking him for his patience, confirming the program remains active, and noting his bug reports remain "pending reward processing due to a temporary operational backlog."
[11]
HackerOne told Ciolek it expects to resume its regularly scheduled rewards payout by the end of the first quarter or sooner.
The bug bounty platform did not respond to The Register 's inquiries.
[12]Bug bounty hunters load up to stalk AI and fancy bagging big bucks
[13]Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
[14]Curl creator mulls nixing bug bounty awards to stop AI slop
[15]AI-generated bug reports are seriously annoying for developers
While it looks like Ciolek will receive a monetary award for his time and effort, the lack of communication to researchers still presents a problem.
"Bug bounty programs run on trust and clarity," Ciolek said. "If a program is paused, defunded, or otherwise inactive, that's completely understandable – but it needs to be communicated."
"I want to stress that I don't do vulnerability research purely for money," he added. "Most of my findings come without bounties attached. But bounties matter: they help offset the time spent auditing, documenting, and responsibly disclosing issues, and they make it easier for researchers to justify working on open-source projects that don't otherwise have funding."
Ciolek also wonders if [16]AI slop is at least [17]partly to blame .
"I suspect platforms are also dealing with increased noise - including low-quality LLM-based or automated submissions," he said. "But that makes responsiveness to valid, high-signal reports even more important, not less." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[2] https://www.hackerone.com/company/internet-bug-bounty
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://nvd.nist.gov/vuln/detail/CVE-2025-59538
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-59531
[8] https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf
[9] https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV3obKjWe42KKeGUy_9WlgAAAYE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2023/10/27/google_ai_bounty_hackerone/
[13] https://www.theregister.com/2025/08/24/bug_bounty_advice/
[14] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[15] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers/
[16] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[17] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers/
[18] https://whitepapers.theregister.com/