frontpage.

Closed –> Traced –> Closed: Did a Tech Giant Panic over an HTTP/2 200 OK Bypass?

1•CorporationHit•1h ago

[DISCLAIMER]: This is shared strictly for educational purposes and as a case study for the security community. My goal is to discuss the logic of security response systems, not to target any individual or proprietary data. The Case: I am seeking the community's perspective on a technical disagreement. Who is at fault when a manual proof of a bypass is provided, yet the response logic remains inconsistent? The Timeline & Logic Gap: The Report: I reported a logic flaw in a payments-related sub-domain. It was initially reviewed and marked as "Triaged". The Dismissal: Shortly after, the report was marked as "Closed (Informative)". No technical explanation was provided for why the triage was reversed. The Manual Proof: I provided a manual bypass using an Admin-Token: true header, which resulted in a successful HTTP/2 200 OK response (verified in terminal logs). The Loop: Following this evidence, the report went through a "Triaged-Closed" loop. Despite the manual proof of a 200 OK status, the case remains closed without a patch. Where is the Fault? Is it the Company's fault? For dismissing a manual proof of a 200 OK bypass and relying on automated closure logic instead of verifying the vulnerability's impact. Is it the Researcher's fault? For providing evidence that contradicts the "Informative" status and expecting a technical justification for the closure. The Evidence (Screenshots): Manual Proof (HTTP/2 200 OK Bypass): https://i.ibb.co/kgMjSBBK/Whats-App-Image-2026-02-13-at-1-40-12-PM.jpg Report Status History (The Loop): https://i.ibb.co/5gsLnyJJ/Whats-App-Image-2026-02-13-at-1-43-58-PM.jpg Initial Triage Confirmation: https://i.ibb.co/K3ZCQ48/Whats-App-Image-2026-02-13-at-1-38-17-PM.jpg 48-Hour Notice Email: https://i.ibb.co/Df8GwCH0/Whats-App-Image-2026-02-13-at-1-54-37-PM.jpg Full Communication Logs: https://i.ibb.co/zTbNRFQy/Whats-App-Image-2026-02-13-at-1-38-27-PM.jpg My Question to Developers & Researchers: When a researcher proves a bypass with a 200 OK response, but the company keeps the report "Closed," is this a standard industry practice or a gap in the security response logic? Google VRP

Show HN: Decoder – Static call graph analysis for Python

Gut feeling might be more valuable than habits, plans, or conscious decisions

Mops

WolfSSL Sucks Too, So Now What?

The $6 Bug

AWS EKS VPC CNI Prefix Delegation: More Pods in Your Nodes

Syphilis Situation in Seattle is insane [video]

Show HN: Context Lens: Devtools for your agent context

The hard problem with hard problems (Getting Claude to write a solar system SIM)

New AI system pushes the time limits of generative video

Bullet Garden – a Vampire Survivors-like game in a single 85KB HTML file

Open-source code tracks data's international travels

Apple has a transparency issue [video]

Promises Are Cheap

ScratchBird: MGA database engine with multi-dialect wire compatibility

A chatbot's worst enemy is page refresh

While you support others, who supports you?

Quantum Web: Luci Browser – Entry to Web 5

The Silence I Cannot Speak

Show HN: AI-Powered Adaptive Financial Education

Majutsu, Magit for Jujutsu

Hs-bindgen – automatic Haskell C binding generation

Slouch Patrol: Because You Forgot Once Again

Suspected spies arrested in French town

Jargon Chaff File

Show HN: Exact Hamiltonian Path solver (N=63) in 0.11s on mobile ARM (No RAM)

Rednow – Turn Viral Videos into Scripts

America at 250

UNESCO World Radio Day 2026

Apple Confirms Revamped Siri Is Still Coming in 2026