[ammar2]

It's not just based on that, if you read the linked report from 2023 (https://blog.ammaraskar.com/vscode-rce/), I had a bug with the exact same impact of token exfiltration (It did need one additional click on the VSCode interface). They marked it as low severity, fixed it silently, didn't acknowledge that it had security impact and did not provide me any credit much less a bounty.

[nicce]

I thought that the general issue was that they ignore the submissions and do not fix them - but the actual problem is that they give different severity and may not give fame or money? I think disclosure for those reasons is highly in gray area from ethical perspective. Regardless if it was clearly in the scope of the bug bounty program or not. That is distinct problem and does not justify public disclosure without warning with enough time.