I wrote a comment to similar effect yesterday: I have almost zero motivation for responsible disclosure schemes anymore. It's a bunch of paperwork only to be told it's "expected behaviour" or "not a bug", or at best receive a measly reward that barely justifies the time investment. I would rather just dump the vuln anonymously on Pastebin, save myself the headache, and then we'll find out if it's "not a bug" or not.
> ... I have almost zero motivation for responsible disclosure schemes anymore. It's a bunch of paperwork only to be told it's "expected behaviour" or "not a bug", or at best receive a measly reward that barely justifies the time investment.
I agree, it is thankless work.
Microsoft recently updated their bug bounty program to disqualify ANY reports that tangentially involve open source repositories. Even if you compromise their private source code or internal cloud resources, your report will now be closed with a measly $0.
Just dump the vuln to PasteBin and leave it at that, it's way more responsible than the endless ghosting and gaslighting those platforms enable.