tldr; User opens a file in github UI, but they are served the wrong file contents. Security report is dismissed. Trying to use personal network now to escalate. While there was a username attached them closing my bug report, they didn't bother to mention why they closed it.
One former CISO friend of mine also mentioned, "The amount of noise in H1 is so out of control" and another anonymous point made was that approximately "90% closed without human review".
As someone that runs a tech business, I almost get it: You are bombarded by security report spam. But you have to take every one of them as potentially existentially serious. And you have to treat every minor bug or glitch with respect too. Be creative when you see it. Because even if you yourself cannot figure out how to exploit it... I promise there is someone smarter than you (and definitely smarter than me!) that can and will figure it out. That's IMHO a big part of the reason why you see an exploit more as a "kill chain" rather than an individual RCE. And back to the point: While there is too much noise on HackerOne, it doesn't mean that closing bugs without honest good faith review is the only solution.
I've paid out security risks and even educational emails that were sent to me (probably overly generously, TBH). And intriguingly, many of the reports come for free. Getting paid was a nice side effect for the sender, I suppose. I always read them and do my best to reply thoughtfully because you never know if the person writing it is still learning themselves, a kid, a good samaritan, or whatnot. Everyone has something to teach- and something to learn.
If HackerOne reports and VRP are so noisy that even legit material is discarded, then perhaps the problem has more to do with the gamification of the process (ie, leaderboards, and quantities of money being bombarded at you like a casino ad)... and less the aspect of learning, teaching, community, and professional networking?
Kind of like Dave Plummer's punchline: I wish I could report bugs and check a box that says "I'm in it for the likes and subs" so that reports can be taken seriously. But at the same time.. if someone is in it for the financial aspects (which is great too), they should also be rewarded.
I think the exploit you demonstrate in your video is pretty reasonable/realistic. There's plenty of times where I eye-ball a repo in the GitHub UI before downloading it since I want to know what's happening under the hood for trust reasons. And this def throws a little bit of a wrench into that process.
