[raesene9]

Good point about the Hacker One disclosure timeline, sounds like the reporter should have waited for that to elapse prior to disclosure.

Not sure I'd say 90 days is entirely arbitrary as some of the big boys (i.e. Google Zero) seem to have come to a conclusion that that's the appropriate delay between disclosure and fix (whether that's always reasonable is another matter).

I'd guess that the more time thing he may have felt didn't apply as he wasn't getting any more communications about the bug status...

And sounds like a good feature request for Hacker One on dupes, this won't, I'm sure, be the only instance where this kind of mis-communication happens!

[anshuman_bh]

considering the fact that they were unresponsive and dismissive and some feedback about slacks bug bounty program from other fellow researchers, I really didn't think 180 days was worth the wait so yeah I chose my own. I am at the liberty to do that just like how slack has the liberty to ban me from their program. So yeah your guess is good!

And it's not only me who has had such a terrible experience with their program. I know atleast 3 different researchers who have reached out to me to tell me that they have gone through the same experience. They prefer not to speak out. I did. Period.