What do do with "Out of Scope" vulnerability that should be in scope


Recently I found a few (5 to be exact) S3 buckets with directory listing enable belonging to one of Bugcrowd customer.

It turns out that I could not find any sensitive files inside those buckets but one was clearly used for development purposes. I though I would report it as it is not unlikely that this bucket may contains files that should not be accessible in the future.

The result is that the customer, closed the submissions without any comments and marked it as “Out of scope”. When I asked they just replied: “check the scope”.

The thing is now I have a lower acceptance rate and -1 kudos.

My question is what to do with out of scope bugs that should be fixed ? Should I just seat on them ?

If the bugcrowd team looks at this post, the is the submission.