"Last fall, Jakub Ciolek reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne's Internet Bug Bounty (IBB) program. Both were assigned CVEs and have since been fixed. But instead of receiving an $8,500 reward for the two flaws, Ciolek says, HackerOne ghosted him for months. The open source bug bounty program finally contacted Ciolek on Tuesday, but only after The Register reached out to HackerOne asking about the status of his reward payment and the IBB program in general."
"HackerOne's IBB is a crowdfunded bug bounty program that encourages researchers and maintainers to find and fix vulnerabilities in open source software by offering pooled cash payouts. Any organization that relies on open source code to run its technology or chains (in other words: everyone) can contribute to the bounty pool. Once CVE-tracked vulnerabilities are fixed, the program deducts the funds automatically and issues rewards."
Jakub Ciolek reported two high-severity denial-of-service vulnerabilities in Argo CD through HackerOne's Internet Bug Bounty (IBB). The issues were assigned CVE-2025-59538 and CVE-2025-59531 and were fixed in Argo CD versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19 released on September 30. The flaws could allow a remote unauthenticated attacker to crash vulnerable instances. The IBB program is crowdfunded and automatically issues pooled payouts after CVE-tracked fixes, allocating 80 percent to reporters and 20 percent to projects. HackerOne failed to contact the researcher or issue the expected $8,500 reward for months and only made contact after external inquiry, undermining researcher confidence in the model.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]