The behavior: - Only affected a subset of private accounts - Vendor test accounts were not vulnerable - Reproduction depended on account characteristics , unknown internal account flags - The behavior disappeared mid-investigation (likely due to a server-side change)
The report was ultimately closed as “not reproducible,” despite evidence earlier in the investigation.
My question: how do you validate, root-cause, and confidently close authorization bugs that are conditional, subset-only, and vanish during triage?
What does good disclosure handling look like in cases like this?