At least one time it's worth going through all the motions to prove whether it is or is not actually functional, so that they can not say "no one reported a problem..." about all the problems.

You can't say they don't have a funtional process, and they are lying or disingenuous when they claim to, if you never actually tried for real for yourself at least once.

Yes, most of the time you can find someone that cares in the data privacy team or some random security engineer on social media. But it's a very draining process, especially when it's a tech company where people should actually quickly grasp the issue at hand.

I tried every single channel I could think of except calling phone numbers from the whois records, so there must've been someone who saw at least one of the mails and they decided that I'm full of shit so they wouldn't even send a reply.

And if BugCrowd staff with their boilerplate answers and fantasy nicknames wouldn't grasp how a HTTP request works it's a problem of OpenAI choosing them as their vendor. A potential bounty payout is not worth the emotional pain of going through this middleman behavior for days at a time.

Maybe I'm getting too old for this :)