Tell HN: Ignored after submitting Invision billing info leak to Bugcrowd
As the title says, I submitted a "bug" in Invision to BugCrowd that I thought was pretty important to fix. It "leaked" part of the user's billing info along with a bunch of other data on nearly every page you visited. So, if someone is/was sniffing your traffic, they can get your payment method info in plain english.
Long story short, after submitting, we went back and forth and BugCrowd refused to acknowledge that this was an actual vulnerability and did not pay out, despite me not even submitting the bug in hopes for a payout. I just wanted Invision's users to be safer online while using their service.
How do we - as a technology community, or even furthermore, developer community - deal with situations like this?
Note: I am disclosing this publicly as it has now nearly been one year since my original submission, and the bug remains. It sounds like they're knowingly in violation of GDPR etc report them to the data commissioner?