I submitted a bug bounty report via Hats Finance (project: Safe).
It has been 7 days without any response to my emails and submissions.
Per the Hats process, if no feedback is received within the expected timeframe, the next step is to request escalation. I am therefore making this note publicly to ensure proper tracking and transparency.
Could you please confirm:
Whether my submission has been received and is under review.
The expected timeline for classification and payout decision.
I have followed the responsible disclosure guidelines and will not share PoC details here. I simply request acknowledgment and clarity on the status.
First, I would like to clarify that the submission was responded to on the 17th of September, at 3:56 PM CET (just checked the sent email timestamp). I am also confident that you received the response (as you replied to it on the same day twice at 5:19 PM CET and 5:34 PM CET).
You did request we reconsider our evaluation, and I apologize that we were not able to re-evaluate right away (unfortunately, the people that handle the submissions, including myself, were on leave). I will continue our discussion in the email thread we already have.
To be precise, on my side I only received one initial message with the text:
“Thank you for taking the time to participate in our bug bounty program.
Allowing an EOA fallback handler is not a security issue. In fact, it presents similar behaviour to the caller (with the exception of gas usage) as if address(0) – the default – were set.”
After that, I replied twice with explanations and objections regarding why this should be considered a security-relevant finding. Those were my responses to that single message.
shows whether EOA fallbackHandler is accepted and shows its code (2129ms)