How to keep bug bounty findings alive in the queue: the HEAD verification matrix A practical pattern for researchers waiting weeks-to-months between report drafting and submission deadline. Built after a New Hacker cap-clear window made me realize my 8 queued findings could silently get patched out from under me. The problem nobody warns new researchers about You spend a productive month finding 8 solid bugs. The HackerOne New Hacker cap is six open reports at a time. You submit six, hit the cap, queue the other two for the next 30-day window. By the time the cap opens, two of your queued findings have been silently patched in upstream, and your "fresh" submission gets closed as Out-of-Scope or Duplicate of an internal commit. This is the most expensive failure mode for a new researcher who finally has a stocked pipeline. The fix is mechanical, not heroic: a HEAD-verification matrix you run on a cadence. What the matrix actually is A single markdown file with one row per queued finding.…