Author of the blog post here. Yes, I agree that it wasn't Hackerone's fault and they tried their best to help.
As for the violation of agreement with hackerone, I have read the policy many times before publishing the article and even asked Hackerone about this. The vulnerability is already fixed and I haven't heard from Harvest since April 2022 so there's no point asking them as it would seem like a threat rather than an actual disclosure. An excerpt from the agreement:
> Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases.
As for the violation of agreement with hackerone, I have read the policy many times before publishing the article and even asked Hackerone about this. The vulnerability is already fixed and I haven't heard from Harvest since April 2022 so there's no point asking them as it would seem like a threat rather than an actual disclosure. An excerpt from the agreement:
> Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases.