I submitted an 1-click Account Takeover on their VIP program, apart the previous ones which were assessed as High Severity. But the recent one is downgraded to Low Severity due to phishing, even when the High Severity issue also required phishing. I mean 1-click ATO do require phishing bro.
This is the second incident after their publicly acked mishandled triaging of https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1
I do not know what's happening to them, but they are declining to provide answers, even privately/publicly. Also, they publicly boasts of their new VIP program: https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure but when submitting this recent report to it, they forwarded it to the public program.