Usually, platforms screw you over with their vulnerability classifications, for example.
Crypto bros have created their own severity classification system. So, a couple of weeks ago, I reported some bugs in the Firedancer network stack. But the bug reports were rejected because the bugs were in the main branch (now in the production), not in the Mainnet-v0.113.20007. I was like, fair enough. After some time, I found a null dereference in the Mainnet-v0.113.20007 HTTP implementation. Guess what happened next? Firedancer rejected it, saying it does not fall under Immunefi's severity classification system. Now, the funny part is that Firedancer was audited, My findings and the findings in the audits are similar, typical memory corruption bugs. But my disadvantage was that I was going through a rigged platform. I am not that disappointed with Immunefi; It is a crypto platform, so scamming people is in its nature.
I selected a target on YesWeHack and found in total of 4 bugs.
As any normal human being, first you find a bug, then create a account and then report it. Well, the first two steps were easy.
To submit bug reports, you must first complete your KYC
At first, I was a bit skeptical, but after some time, I was like, they are European; I can trust them. To my surprise, YesWeHack uses Mangopay for processing payments, and Mangopay requires you to send them a copy of your passport for KYC. After reading this my reaction was: Are you ret***ed or something? I just want to report a bug. Who the f**k thought it was a good idea to rely on only one type of document?
Asking for some quick changes
I, As a normie, ask them to change some bits in their server to let me report it at least. They didn’t. Instead, these incel f**ks started teaching me the philosophy of ethical hacking and bug bounty platforms, and why KYC is important for protection against money laundering.
I am hoping for a future where things just work, without being rigged or run by incompetent people.