Scam Alert: rfgstudios.com — Silent Fix | Bounty Denied
Company / Program: rfgstudios.com
Platform: Self-Hosted · Severity: high · Scam type: no-payout
Published:
Reported by: Zeeshan1337
I reported an IDOR (guardianx.rfgstudios.com)
vulnerability that allowed an attacker to compromise victims' Discord bot ticket systems. Within 24 hours, the program responded that the issue was "not reproducible."
When I retested the vulnerability, I discovered that it had already been silently fixed. I followed up and asked why the issue was marked as non-reproducible despite being patched. Their response was that it "may have been a false positive."
After further discussion, they reviewed their logs and eventually confirmed that the vulnerability had indeed existed. However, they then reclassified it as a low-severity issue and stated that it did not qualify for a reward.
I provided a detailed severity assessment and explained why the impact should be considered much higher. In the end, they acknowledged that the vulnerability was real and upgraded the severity to Medium, but they still failed to provide a clear explanation as to why it was not eligible for a bounty.
This has been one of the most frustrating bug bounty experiences I have encountered. A valid vulnerability was initially denied, silently fixed, later confirmed, and ultimately left without a transparent justification regarding reward eligibility.