[mike_d]

I have been on both sides of this situation. Running bug bounty programs, and submitting vulnerabilities to Google both before and after I worked there.

Often a researcher will find a bug, report it, and then weeks or months later reply with a follow up that dramatically changes the scope or severity.

Based on all of my interactions with the Google VRP program, I consider it much more likely the researcher isn't giving the whole story about the timeline. They are super responsive, take shit seriously, and push teams to get patches out.