NVIDIA Bug Bounty Program Faces Scrutiny Over Unanswered Critical Security Report

A critical security vulnerability report submitted to NVIDIA's official bug bounty program has gone unanswered for at least six days, raising serious questions about the integrity and responsiveness of the tech giant's security reporting system. The researcher, who followed NVIDIA's published SECURITY.md guidelines, alleges the 'INTEGRITY bug bounty report system does not function at all,' with no confirmation or triage activity on the submission ticket (NVIDIA-V5S11LAV). This failure to acknowledge a high-severity finding directly impacts user security and contradicts the program's stated purpose.

The issue centers on a submission made via the Intigriti platform, a third-party service NVIDIA uses to manage its vulnerability disclosure program. The researcher provided a screenshot showing the submission status, but reports receiving no communication from NVIDIA's security team. The lack of a response within what the researcher calls a reasonable 'few days' for a critical issue highlights a potential breakdown in internal processes or resource allocation for handling external security research.

This incident places NVIDIA's security posture and its commitment to its bug bounty program under immediate pressure. Unresponsive vulnerability disclosure channels can force researchers to consider public disclosure, potentially exposing users to risk before a patch is developed. For a company of NVIDIA's scale, handling sensitive hardware and software across AI, gaming, and data centers, such a lapse in its primary external security feedback loop represents a significant operational and reputational vulnerability. The situation demands urgent internal review to restore researcher trust and ensure user safety.