As I understand things, everyone who runs a bug bounty gets an endless stream of useless reports telling them things like "your website sends the server header which makes you vulnerable to hacking, bounty please"
Therefore, they have very junior people assigned to triage bug reports. And those very junior people are in the habit of closing 99.9% of reports as not-really-a-security-problem.
Anecdote time, I discovered a bug where a bank app would continue receiving 2FA notification prompts even after the user terminated the session from another device (e.g. after realizing their device was stolen). The app was apparently still holding onto some kind of a valid token that could be used to approve 2FA requests despite being "logged out".
I submitted detailed reproduction steps, with a video clearly showing the bug. Triage claimed that this was "intended behavior" and as far as I'm aware, the bank didn't even see my report.
Haha yes, that's the norm. They don't care. Report to the regulator. Then they care. Find out who the regulator is in your country, and report to them. Kinda annoying, but when the regulator tells them they need to do it, it magically gets done.
Note that the regulator doesn't threaten with childish things like a fine of 1M USD, that's kids' playground stuff. They threaten to revoke their banking license, which will cost them 100x more per day :)
I've found that responding "Well, if that's intended behavior you don't mind if I blog about it then? The post will go up in a week." tends to help them take it more seriously.
Sorry, if that's your security process, it's broken. If you're microsoft and that's your security process, you have no excuse and should be embarrassed. However, I heard such stories about Microsoft's security process plenty of times before, so I guess that's what it is.
> "your website sends the server header which makes you vulnerable to hacking, bounty please"
Getting nightmare flashbacks at my last job.
My CISO insisted everything on our penetration test report get remediated. Even "Information" level items, like the server header. And port 443 being open. facepalm
It’s a soul-sucking type of work. At my company, engineers tend to blindly follow security tooling recommendations to the T without ever considering context. Quite frustrating. One example is hardening an internal-only, ten-monthly-active-users app as if it were public. Lots of misdirected engineering hours if you ask me, but go to tick that checkbox the auditor asked for!
Therefore, they have very junior people assigned to triage bug reports. And those very junior people are in the habit of closing 99.9% of reports as not-really-a-security-problem.