Hi! I’m looking for some advice from people who have bug bounty experience. I found an application-specific parsing inconsistency in an image-fetch feature. Because the main validation logic and a legacy fallback path handle things differently, it’s possible to get around some of the intended URL validation checks and access functionality that normally wouldn’t be reachable. The fallback component uses a very old version of a third-party library that has publicly known security issues. I’m not really asking about exploitation itself, but rather whether it’s worth developing a working RCE for this if the outcome could still be a duplicate. In your experience, how do bug bounty programs usually look at findings where: The reachability issue is application-specific. The downstream component contains known public vulnerabilities. The application’s own logic is what makes the vulnerable code path reachable.…