Skip to main content

I reported a stored XSS at SurvivalServers — the bug was fixed, but they refused to pay and responded with threats — here’s my story ( SCAM)

 

Responsible disclosure met with intimidation. I’m sharing my timeline and proof so researchers and customers can judge for themselves.

TL;DR
On October 19, 2025 - 8:13 AM PST I responsibly reported a stored XSS (HTML) vulnerability to SurvivalServers (https://www.survivalservers.com).Their team fixed the issue, but refused to pay the bounty I requested. I later received a message from the company’s CEO, Ryan Pennington (screenshot attached), which I found threatening and inappropriate. I am publishing my timeline and evidence so the security community and potential customers can decide how to respond.

 



 
 

My timeline 

  •  I discovered a stored XSS (HTML) vulnerability affecting [short description of the component: e.g., “user profile comments” or “server description field” — do not include exploit code here].

 I reported the issue to SurvivalServers via support following responsible disclosure practices. I included reproduction steps and a suggested mitigation.


SurvivalServers acknowledged receipt and said they would investigate.

 The issue was fixed by SurvivalServers 

 I asked for the bounty/payment as previously discussed (or requested compensation). SurvivalServers declined / did not respond / refused to pay.

 I received a message from Ryan Pennington that I consider threatening and meant to intimidate me into silence.

What I will not do

I will not publish exploit details or step-by-step attack code. My disclosure followed responsible practice: I gave the vendor time to fix and I am not exposing details that would put users at risk.

What I am asking for

A public acknowledgement from SurvivalServers that the vulnerability was fixed and that the researcher was treated professionally.

Payment of the agreed/expected bounty — or, if no formal bounty exists, some fair compensation for the responsible disclosure.

A policy change: a publicly posted security disclosure and bug bounty policy with a contact email so future researchers have clear expectations.

Why this matters

Responsible security research benefits everyone — customers, vendors, and the overall internet. Intimidating researchers discourages vulnerability reporting and increases risk for end users. If companies want help finding bugs, they should treat researchers professionally and have transparent processes and fair compensation.  

Final note to the community

I prefer to resolve these issues privately and fairly. Unfortunately, the way SurvivalServers handled my report — including the message I received — forced me to go public so others are aware

Comments

Post a Comment

Popular posts from this blog

My Experience With PrivateAlps.net – Scammers

  A Warning After Racist Insults and Unprofessional Behavior  I’ve worked with many bug-bounty programs, but nothing prepared me for the absolute disrespect I faced with PrivateAlps.net .   Domain :   https://privatealps.net/ I’m writing this to share MY personal experience , exactly how things happened from my side , because no researcher should ever be treated like this.         What Happened I reported real vulnerabilities. I put in the time, the effort, and the skill. They paid me $210 for one of the reports — fine. But when it came to the larger report, worth far more than $1,000 by standard industry value, everything went downhill. And then comes the part that still disgusts me: In my experience, their communication included racist insults. According to what I personally received from them, I was told things along the lines of: “Go f*** yourself, you Indian.”       This is not just unprofessional —   it’...
Post a Comment
Read more

New Scam YourCryptoPal : My Experience Reporting a Security Vulnerability to YourCryptoPal

  As someone deeply invested in cybersecurity, I recently discovered a serious security vulnerability in YourCryptoPal, a platform that claims to prioritize user safety. Following responsible disclosure practices, I reported the issue to them, expecting a professional response and acknowledgment.     Dismissal and Accusation – Instead of thanking me for responsibly reporting a potential threat, the team at YourCryptoPal accused me of being a scammer . This was not only unprofessional but deeply insulting. Failure to Compensate – Many platforms offer bug bounties or rewards to incentivize responsible disclosure. Despite my clear report and evidence, they did not pay the promised reward . Lack of Accountability – I reached out multiple times, seeking clarification and resolution, but received no constructive response . Why Responsible Disclosure Matters Reporting security vulnerabilities is critical for the safety of all users. When platforms ignore, insult...
Post a Comment
Read more

Servers.guru Bug Bounty SCAM : Two Valid Reports, Zero Payment, Zero Accountability

This post documents my negative experience with the servers.guru vulnerability disclosure / bug bounty process. I am writing this publicly because private communication led nowhere, and I believe security researchers deserve honesty and transparency.     The Short Version I submitted two legitimate security vulnerabilities Both had real-world impact Both were clearly explained with reproduction steps No payment was made No convincing technical justification was given You can decide what that says about the program. Vulnerability #1: OTP Reuse (Authentication Broken) Category: Authentication / Logic Flaw Severity: High servers.guru implemented OTP in a way that defeats the entire purpose of OTP . What Was Wrong The same OTP could be reused multiple times instead of being invalidated after first use. This is not a “best practice” issue. This is OTP 101 . Why This Matters OTPs are meant to be one-time Reuse allows replay attacks Any intercepte...
Post a Comment
Read more