One of the most frustrating issues with Bugcrowd is how they treat valid submissions. It's not uncommon to see legitimate vulnerabilities downgraded to P5 (informational) even when they clearly have real security impact. For researchers, that essentially means: "Thanks for the report, but it's worthless."

And when you spend hours — sometimes days — investigating, validating, documenting, and responsibly disclosing an issue, that kind of response feels like a slap in the face.

But what happened in my case was even worse.

I submitted a vulnerability report that initially sat there with little attention. The first person who reported something related barely pushed for it or explained the impact properly. I, on the other hand, did the work: I documented the issue, explained the security implications, and fought to make sure the impact was understood.

For over 15 days, my submission remained unique. No duplicate tags, no conflicts — just a valid report waiting for proper triage.

Then after pushing and arguing my case, the severity was finally changed from P5 to P3. At that moment it looked like the effort had paid off. It meant the vulnerability was recognized as having real impact.

But instead of closing the case fairly, something bizarre happened.

The moment the severity was updated, the report was suddenly marked Duplicate.

Let that sink in.

A report that had been sitting without duplication for more than two weeks suddenly became a duplicate only after the severity was increased.

So effectively, I did the hard work:

  • I analyzed the issue
  • I demonstrated the impact
  • I pushed for proper severity classification
  • I helped move it from P5 → P3

And the reward for doing that work?

A duplicate tag.

Which means someone else gets credit, even though they didn't fight for the impact or push the issue forward.

This kind of process completely kills motivation for researchers. Bug bounty programs rely on the goodwill and persistence of security researchers, but when platforms handle reports like this, they send a very clear message:

Your effort doesn't matter.

The reality is that bug bounty hunting already requires massive amounts of unpaid work. Researchers spend hours digging through applications, validating vulnerabilities, writing reports, and following responsible disclosure practices — all with the hope that platforms will treat them fairly.

But when the system allows severity changes after researcher advocacy and then quietly marks the submission as duplicate, it feels less like security collaboration and more like a rigged game.

Platforms like Bugcrowd should remember that researchers are not just "report generators." We are the people helping secure their clients' systems.

And when our work is dismissed, downgraded to P5, or turned into duplicates after the fact, it doesn't just waste our time.

It destroys trust in the entire bug bounty ecosystem.