Back to Blog

Reported a Zillow Data Scraping Bug to Bugcrowd. They Said It Was Not Reproducible. Reddit Said It Was. Bugcrowd Threatened.

February 12, 2026 Internet Secure Team 5 min read
Bugcrowd Vulnerability Disclosure Zillow Bug Bounty

A security professional recently stumbled onto something interesting while house hunting: Zillow has whitelisted a range of Google server IP addresses, which means anyone with a Google account can use Google Sheets—or any Google service running Apps Script—to pull Zillow's real estate listing data directly into a spreadsheet. No API key required. No authentication. Just IMPORTXML or a simple Apps Script fetch, and you've got addresses, prices, square footage, and more, bypassing every anti-scraping protection Zillow has in place.

The researcher did what every responsible security professional is supposed to do: they reported it through Zillow's official disclosure channel. Zillow uses Bugcrowd for this. So the researcher created a Bugcrowd account—specifically for this report—filed a detailed submission, and waited.

What happened next is a case study in everything wrong with vendor-managed bug bounty programs.

The Timeline

Discovery

The researcher accidentally discovered the whitelisted IP range while building a personal spreadsheet to track homes during their house hunt. Not looking for bugs—just trying to organize listings.

Responsible Disclosure

Created a Bugcrowd account, filed a proper report through Zillow's official channel, and waited for a response. Did everything by the book.

Dismissed

Days later, Bugcrowd responded: they didn't have enough information to reproduce the issue. They told the researcher to file a new ticket with more info. Report closed. No follow-up questions. No dialogue.

Public Discussion

After being dismissed, the researcher posted a general description of the misconfiguration on Reddit. No exploit code. No scraping tools. Just a conceptual explanation of what was happening.

Bugcrowd Threatens

Bugcrowd sent a stern email demanding the Reddit post be removed, citing "Platform Behavior Standards" and "Standard Disclosure Terms." They claimed the post "puts organizations and their users at risk" and used condescending language about "coaching" and "professional behavior."

Researcher Holds Firm

The researcher pointed out the contradiction and offered a simple deal: reopen the bug, acknowledge the report had merit, and the post comes down. Bugcrowd softened their tone in a second email but still requested removal. The researcher held firm.

The Contradiction That Says Everything

Here's the part that should bother anyone who's ever filed a vulnerability report: Bugcrowd said the report didn't contain enough information to reproduce the issue. Then, when the researcher described the same issue publicly in general terms, Bugcrowd said it was dangerous enough to demand a takedown.

Pick one. Either the information is sufficient to understand the problem—in which case the original report should have been actionable—or it's not, in which case a Reddit post describing the same thing at a high level can't possibly "put organizations and their users at risk."

You can't simultaneously claim a report is too vague to act on and too dangerous to discuss publicly. That's not a security position—that's a legal one.

How Bugcrowd Failed Zillow

Here's the thing—this isn't just a story about a researcher getting burned. Bugcrowd failed Zillow too. That's what makes this so frustrating.

Zillow pays Bugcrowd to be their front line for vulnerability reports. The whole point of hiring a bug bounty platform is so that when someone finds something, it gets triaged properly, investigated, and routed to the right team. That's the service. That's what the contract is for.

Instead, Bugcrowd dismissed a reproducible issue without asking a single follow-up question. No "can you provide a screenshot?" No "which Google IP range are you seeing this on?" No "can you share the Apps Script you used?" Just closed. Move on.

Then, when the researcher talked about it publicly, Bugcrowd's response wasn't to reopen the report and actually investigate. It was to send threatening emails about platform behavior standards. They spent more energy trying to silence the researcher than they ever spent trying to understand the bug.

Zillow is paying for a security service that actively discourages people from reporting security issues. The misconfiguration is still there. The researcher who tried to help has been alienated. And the next person who finds something wrong with Zillow's infrastructure now has a great reason to not bother reporting it at all.

Bugcrowd didn't protect Zillow. They protected themselves from having to do the work, and then tried to bury the evidence.

Zillow, Find a New Bug Bounty Vendor

Zillow, if anyone there is reading this: your bug bounty vendor just cost you a free security report, burned a researcher who was trying to help you for nothing, and turned a quiet disclosure into a public conversation. That's the opposite of what you're paying them to do.

There are better options. HackerOne has a larger researcher community and more mature triage processes. Intigriti is well-regarded in Europe and growing fast. Even a self-managed program with a simple [email protected] inbox and a published disclosure policy would have handled this better than what Bugcrowd did.

The goal of a vulnerability disclosure program is to make it easy for good-faith researchers to tell you about problems. Bugcrowd made it hard, then made it hostile. That doesn't keep Zillow secure—it keeps Zillow in the dark.

The best vulnerability disclosure programs make researchers feel valued, not threatened. If your bug bounty platform is doing the opposite, it's time to switch.