Formal complaint regarding improper closure of HackerOne report #3533418 #8772
Description
Hello Cosmos Security Team,
I am writing to formally object to the handling of HackerOne report
#3533418 and to document what appears to be a serious breakdown in
process and professional standards.
After the report was:
- Accepted
- Triaged
- Marked as “Pending Bounty”
a Cosmos team member (tylertylertyler) unilaterally closed the report as
“Spam”, locked all discussion, and prevented any response from my side.
I want to be explicit:
Closing a report at the pending bounty stage, then retroactively
labeling it as spam, is not a technical judgment — it is procedural
manipulation.
If the report was invalid, it should never have passed triage.
If the PoC was insufficient, the correct action is a technical rejection
or a request for revision — not silencing the researcher and disabling
their right to respond.
Disabling comments and issuing accusations after acceptance constitutes
a clear violation of responsible disclosure norms and HackerOne
standards, and raises concerns about internal conflict of interest once
a bounty decision is imminent.
If Cosmos positions itself as a security-first ecosystem, this behavior
directly contradicts that claim.
I strongly recommend this incident be reviewed internally.
Before this situation escalates further, I expect:
- A clear explanation for the reversal
- Or reopening of the report so technical discussion can occur properly
I would prefer this to be resolved privately and professionally.
However, the current handling is not acceptable under any recognized
security disclosure framework.
Regards,
fixsear7