* It was initially closed as "not applicable". I had to insist that it was a vulnerability.
* It was originally scheduled to be fixed within about 90 days, which was reasonable, but they kept delaying it more and more.
* They took 4 months to notify me that they've fixed it. That's 21 months in total from opening to closing it.
* They miscategorised the severity as low, when the exact same vulnerability was medium. It's quite feasible for a determined attacker to set up a camera to record a monitor, and it doesn't require any special exploit code or tools. Exploiting it gives you access to the "crown jewels".
* They didn't open a CVE. Probably didn't issue a security bulletin to their customers, but I didn't check.
* They don't commit to fixing security issues in a timely manner.
* They didn't make the effort to fix the issue themselves, it was incidentally fixed when eventually they updated an dependency which was unmaintained for years.
* The fix was as simple as pointing to a patched fork of the dependency (there was an unmerged PR), not something that requires more than a year to fix.
People like you are why companies hate bug bounty programs. Complaining about a bug marked low severity when your stated attack vector requires installing a physical camera
I mean okay, when I file a big report and it’s marked as low sev, it makes me salty too, but then I don’t go on forums to spread FUD about the team.