Results of my experiment reporting an Amazon XSS via Open Bug Bounty:
· Reported on 2021-03-08
· Automatically disclosed on 2021-06-06, still unpatched
· Actually fixed at some point before 2021-09-17
No idea whether Amazon even received the original report. Maybe they only noticed because someone started exploiting this vulnerability. So: no, not sure whether I want to do this again.
A Mastodon instance for info/cyber security-minded people.