HackerOne Delays IBB Payouts To Researcher

Jakub Ciolek reported two high-severity denial-of-service bugs in Argo CD last fall via HackerOne's Internet Bug Bounty; both were assigned CVE-2025-59538 and CVE-2025-59531 and fixed on Sept. 30, 2025. HackerOne did not respond for months, later citing a temporary operational backlog and saying reward payouts are pending and expected by end of Q1 2026. The communication gap undermines confidence in the IBB model.
Key Points
- 1Reported two high-severity DoS CVEs in Argo CD fixed in Sept 2025.
- 2Showcases IBB operational backlog and months-long communication blackout undermining researcher trust.
- 3Suggests maintainers and contributors should verify bounty program status before relying on pooled payouts.
Scoring Rationale
Highlights operational backlog and researcher impact, but limited scope restricted to one bounty program and single incident.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems