Jakub Ciolek reported two denial-of-service vulnerabilities in Argo CD through HackerOne's Internet Bug Bounty program last fall, expecting an $8,500 reward. Although both vulnerabilities received CVEs and were fixed, Ciolek faced months of silence from HackerOne regarding his payout. His attempts to contact the platform yielded no responses until The Register inquired about the situation, prompting HackerOne to finally reach out, citing a backlog as the reason for the delay. The two flaws, CVE-2025-59538 and CVE-2025-59531, could allow attackers to crash vulnerable systems without authentication. Ciolek, an experienced researcher with 20 prior bug reports and past payouts, expressed frustration over the lack of communication. Despite HackerOne assuring him the program remains active, the situation highlights a significant issue: trust in bug bounty programs relies on transparency and timely communication. Ciolek emphasized that while he doesn’t conduct research solely for monetary rewards, bounties help justify his efforts in open-source projects that typically lack funding. He also speculated that increased noise from low-quality automated submissions might be impacting responsiveness to legitimate reports.