Warning: Deribit silently patches critical security flaws and ghosts the researchers. Can we trust an exchange that hides its vulnerabilities?

I'm an independent security researcher. I recently reported multiple critical security vulnerabilities to Deribit through their bug bounty program.

Instead of following their own advertised "Fast Payment" SLA (which promises payment within 1 month), Deribit silently pushed patches to production and has completely ghosted me for 70+ days. Zero triage, zero communication, zero payment.

When I escalated to HackerOne support, I was told Deribit is an "unmanaged" program and H1 cannot force them to respond or pay, despite Deribit displaying "Gold Standard Safe Harbor" and "Platform Standards" badges on their page.

My issue isn't just about the unpaid bounty. My issue is the transparency. If a major crypto exchange is secretly patching critical security flaws in the background and refusing to publicly acknowledge them, how can traders trust that the platform is safe? What else are they patching without telling their users?

I am bound by their NDA and cannot share the technical details of the flaws. But I feel the community deserves to know how this exchange handles security reports and treats the researchers trying to keep the platform safe.

Be careful with your funds on platforms that value hiding security flaws over transparency.