Real stories of "won't-fix" tags, scope tricks, and silent patches — plus a survival guide for new hunters

Bug bounty platforms sell a simple dream: hackers earn money, companies get safer software, and everyone wins. But dig into public disclosure threads, Reddit rants, and private Discords and you'll find a darker subplot. Some organizations game their own programs. Dodging payouts with "won't fix" labels, razor-thin scopes, or last-minute severity downgrades while quietly pushing patches.

Below you'll find three common tactics, three representative case studies, and a condensed playbook that helps new hunters stay paid (and sane) in a sometimes-rigged arena.

The Anatomy of Abuse

1. "Valid but Won't Fix"

How It Works: Company admits the bug is real but claims the risk is acceptable, so no bounty.

Why It Hurts Hunters: Hours of research go unrewarded; no public credit.

2. Scope as a Shield

How It Works: Programs exclude high-risk assets or domains; any bug there is auto-rejected.

Why It Hurts Hunters: Real-world attack chains become "out of scope" fiction.

3. Severity Downgrade & Silent Patch

How It Works: Report is marked "low" or "informative," then quietly patched.

Why It Hurts Hunters: Hunter receives a token payout (or none) while the company benefits from a fix.

Three Case Studies That Still Sting

1. The Downgraded P1

A researcher demonstrated full account takeover against a critical API. Triage asked for repro steps already in the report, labelled it "medium," and paid $400. Just over 1% of the program's advertised maximum. The fix rolled out a week later, but the severity tag never budged.

Lesson: Delay bias is real. Long triage queues drain momentum; hunters often accept low offers simply to move on.

2. Four "Won't Fix" in a Week

On a privacy-focused European platform, one company slapped "won't fix" on four high-impact findings. CSRF, IDOR, and two misconfigurations. Mediation was denied because the researcher lacked the platform's required reputation score to appeal. All four issues were patched months later.

Lesson: Policy vacuums invite abuse. When platforms let programs define "won't fix" unilaterally, hunters hold no leverage.

3. Scope Fine-Print Outrage

A hotel-review site limited scope to *.secure.example.com. A chained exploit on an auxiliary subdomain let an attacker mass-delete reviews on the production site. Triage ignored the business impact and closed it as "out of scope," citing the domain mismatch.

Lesson: Attackers don't respect dotted lines. Artificial scope boundaries ignore how real exploitation works.

Protect Yourself: The Quick-Start Checklist

  1. Read the scope twice. Search for hidden exclusions, especially on mobile APIs, legacy subdomains, and third-party assets — Avoid surprises after you've sunk days into testing.
  2. Screenshot payouts per severity. Take a quick grab of the published reward table — Provides evidence if numbers change later.
  3. Test & record version fingerprints. Capture build numbers, commit hashes, or headers during exploitation — Counters the "we already fixed that" defense.
  4. Lead with business impact. Open your report with one sentence on revenue, liability, or brand damage — Triagers skim… grab attention fast.
  5. Set polite but firm follow-ups. Nudge at 7 days, escalate at the platform's SLA mark — Shows professionalism while holding the clock.

When Things Go Sideways: Three-Step Dispute Script

  1. Quote the Rulebook Copy the exact platform clause or CVSS rubric the triager is ignoring. Keep it factual.
  2. Provide Fresh Evidence Short Loom video, sanitized logs, or a demo link that self-destructs in 48 h. Make their next step easy.
  3. Ask for Mediation — Once If the program ghosts or stonewalls, file a mediation request. Don't chain-email; let the platform work.

If mediation is impossible or drags beyond 30 days, consider public disclosure only after you've met every contractual notice period and local law. Your mental health and reputation matter more than any single payout.

How Platforms and Programs Can Fix the Game

  • Pay on Validation, Not Remediation If a bug is "valid," the bounty should trigger — regardless of whether the company chooses to patch immediately.
  • Impact-Over-Origin Clause Off-scope endpoints that demonstrably affect in-scope assets should be payable. Attackers don't care about subdomain semantics.
  • Automatic Mediation Eligibility Any dispute over severity or reward should be eligible for third-party review, no matter the hunter's reputation score.
  • Public SLA Dashboards Response-time transparency shames chronic offenders and guides hunters toward fairer programs.
  • Safe-Harbor Baseline Platforms must guarantee legal protection for hunters who stay within policy — full stop.

Know When to Walk Away

  • Serial Downgrades: Two or more severity drops without clear technical reasoning.
  • Silent Patching: You spot the fix in prod but your report is still marked "informative."
  • No Mediation Path: Platform blocks disputes unless you hit an arbitrary points threshold.

Pivot to programs with documented fairness. Intigriti's sub-day triage or smaller startups hungry for talent. Your expertise is scarce; take it where it's valued.

Closing Thoughts

Companies that game their own bounty rules trade short-term savings for long-term risk. They lose researcher trust, invite public embarrassment, and nudge skilled hackers toward gray markets. By spotlighting real abuses and sharing practical defenses, we can push the ecosystem toward the win-win it was meant to be.

Found this playbook useful? Follow me for more front-line case studies, ethical-hacking tactics, and unfiltered commentary from Bucharest's cybersecurity scene. Let's keep the pressure (and the conversation) alive.