Researcher says HackerOne ignored him for months over $8,500 bounty

TL;DR

Jakub Ciolek reported two denial-of-service bugs in Argo CD through HackerOne's Internet Bug Bounty program; both received CVEs and were fixed. Ciolek says HackerOne did not respond for months about an $8,500 reward until after a reporter inquired; HackerOne told him there is an operational backlog and expects to resume payouts by the end of Q1.

What happened

Last fall security researcher Jakub Ciolek submitted two denial-of-service reports affecting Argo CD to HackerOne’s Internet Bug Bounty (IBB) program. The flaws were assigned CVE-2025-59538 and CVE-2025-59531 and were patched by the Argo CD maintainers in releases published on September 30, with Ciolek credited. Ciolek says he filed the reports through the IBB workflow on October 30, 2025, then made repeated attempts to get confirmation or a payout — messaging via the HackerOne platform on November 14, November 19 and December 15, emailing the program address on December 15, and contacting an employee on December 22 — without receiving a reply. After a reporter reached out to HackerOne, the company emailed Ciolek to say the program remains active and his reports are pending reward processing due to a temporary operational backlog; HackerOne expects to resume regular payouts by the end of the first quarter. The platform did not respond to press inquiries.

Why it matters

• Delayed or absent communication from bounty platforms can erode trust between researchers and open source projects.
• Bug bounties are a funding mechanism for open source maintenance; payment delays may reduce researchers’ willingness to audit unfunded projects.
• When valid reports go unanswered, it weakens incentives for timely vulnerability disclosure and remediation.
• Operational issues at a major platform could signal broader capacity problems handling increased volume or low-quality submissions.

Key facts

• Researcher: Jakub Ciolek — reported two denial-of-service issues in Argo CD.
• Vulnerabilities: CVE-2025-59538 and CVE-2025-59531; both could allow unauthenticated remote crashes.
• Fixes: Argo CD releases dated September 30 patched the issues and credited Ciolek.
• Submission date: Ciolek says he submitted the reports to HackerOne on October 30, 2025.
• Communication attempts: messages on Nov 14, Nov 19, Dec 15 via the platform; email to ibb@hackerone.com on Dec 15; contact with an employee on Dec 22 — all initially unanswered, per Ciolek.
• Alleged payout: Ciolek expects $8,500 for the two reports; payment status was unresolved until HackerOne’s recent message.
• IBB payout split: the program’s model allocates 80% of a bounty to the researcher and 20% to the affected open source project.
• HackerOne’s response: after media inquiry the company told Ciolek the reports are "pending reward processing" due to a temporary operational backlog and expects to resume payouts by end of Q1.
• Press outreach: HackerOne did not reply to the reporter’s direct inquiries, according to the story.

What to watch next

• Whether HackerOne completes Ciolek’s payout and clears the reported backlog by the end of Q1 — not confirmed in the source.
• If HackerOne updates the public status or activity of its Internet Bug Bounty program on its site or via direct notices to researchers — not confirmed in the source.
• Whether the platform publishes details about operational changes or mitigation steps to prevent future communication and processing delays — not confirmed in the source.

Quick glossary

• Bug bounty: A program that offers monetary rewards to individuals who find and responsibly disclose software vulnerabilities.
• CVE: Common Vulnerabilities and Exposures — a standardized identifier assigned to publicly known cybersecurity vulnerabilities.
• Denial-of-service (DoS): A type of vulnerability or attack that can make a service unavailable by overwhelming or crashing it.
• Argo CD: An open source GitOps continuous delivery tool for deploying applications to Kubernetes clusters.
• HackerOne Internet Bug Bounty (IBB): A crowdfunded program run through HackerOne that pools contributions to pay bounties for vulnerabilities in open source projects.

Reader FAQ

Did the researcher receive the $8,500 bounty?
Not confirmed in the source.

Were the reported Argo CD vulnerabilities fixed?
Yes; maintainers released patches on September 30 and credited the researcher.

What did HackerOne say about the delay?
HackerOne told the researcher the reports are pending reward processing due to a temporary operational backlog and expects to resume regular payouts by the end of Q1.

Is the IBB program paused or inactive?
HackerOne told the researcher the program remains active; whether it is fully operational is not confirmed in the source.

SECURITY HackerOne 'ghosted' me for months over $8,500 bug bounty, says researcher Long after CVEs issued and open source flaws fixed Jessica Lyons Wed 7 Jan 2026 // 00:17 UTC Last fall, Jakub Ciolek…

Sources

• HackerOne 'ghosted' me for months over $8,500 bug bounty, says researcher

Related posts

• Ledger confirms customer data accessed in Global-e e-commerce breach
• Hacktivist erases three white supremacist sites live at Chaos Communication Congress
• Offshore wind firms sue over Trump administration halt to $25B projects