Feedback on bug bounty triage and reward processing timeline

Meta Elastic
1

Hello Elastic team,

First of all, thank you for running a security program and for the work your team does to keep the ecosystem secure. I really appreciate the opportunity to contribute by reporting vulnerabilities affecting projects like Kibana and Elasticsearch.

I would like to share some feedback regarding the bug bounty process. In several of my reports, the issues have already been triaged and acknowledged, but the bounty payment and resolution process has taken several months. In some cases, the vulnerability fixes also take a long time to be applied after validation.

I completely understand that investigation, prioritization, and coordinated fixes can take time, especially for complex issues. However, the waiting period after triage can be quite long, particularly for researchers who actively contribute multiple reports.

It would be very helpful for the community if there could be:

  • clearer timelines or expectations for bounty processing after triage

  • more transparency about the stages between triage ā†’ fix ā†’ bounty payment

  • improved turnaround time where possible

Iā€™m sharing this as constructive feedback because I value the program and would like to continue contributing security research to Elastic projects.

Thank you for your time, and I appreciate any insights the team can share about how the process works and whether improvements might be planned.

Best regards.

1 Like
2

Thank you for reaching out and for your continued contributions to our responsible disclosure program. We truly appreciate your honest and constructive feedback regarding the processing times for triage, validation, and bounty payments.

We sincerely apologize for the delays you've experienced across your reports. Our response and processing times have been taking longer than usual lately. Please know that we take your feedback seriously; we are actively scaling our resources and reviewing our internal processes to ensure we can deliver faster, more thorough responses and clearer timelines moving forward.

While these improvements are underway, some delays may still occur, but we are working hard to streamline the experience for our research community. We truly appreciate your patience and understanding as we work through our current queue.

Thank you again for your dedication to helping secure Elastic products. We highly value your collaboration!

[Written in collaboration with the team running the program]