Hey, looking for community wisdom on something. About 2 months ago I started doing web/mobile testing on Bugcrowd. One of my early findings was an unauthenticated email viewer where I could read every outbound email a company sent password reset tokens, device auth codes, the lot. I filed it at P3 and appealed to P1.
Bugcrowd support replied saying “wait, an engineer will look at it.” About three hours later, every case I had open across the platform was closed as not-applicable — four cases in total, across two completely unrelated programs, by three different staff, all within a 12-minute window the same morning. About a week after that, I got hit with a 30-day account suspension citing “AI-assisted findings” and “high rejection rate” patterns. I contested the suspension snice my accuracy is around 95%, they declined to revisit any individual case decision. To be up front like most in 2026 I do use AI to help me but I also test every PoC and understand whats going on.
I waited out the 30 days (partly to stay in safe harbor) and just retested everything. All of the surfaces are still exploitable two months later. Including the email-viewer one with live password reset tokens.
Question for the community: what’s the right move here? I’m hesitant to reach out to the affected companies directly given the TOS says not to, but I am also hesitant given how the platform handled the original reports, but “do nothing while customer data sits exposed” doesn’t feel right either. Has anyone been through similar and have advice? Happy to take it to DMs if anyone’s been here.