Story

I would like advice regarding HackerOne.

I am an Amazon Redshift specialist.

I know of an issue with Redshift such that any user who can create a table and issue a query on that table is able, with normal but specially crafted table and query, to crash the cluster about ten seconds after the query is issued.

I reported this to HackerOne as a vulnerability, providing the DDL for the table and the SQL for the query.

HackerOne triage (not AWS) have come back with;

> We are happy to review this further if you are able to leverage this into a practical exploitation scenario that results in an impact to Amazon assets or data. [Your] report will be closed as Informative.

Which is not what I expected.

I am thinking I have misunderstood something fundamental.

Can anyone here with experience or knowledge in this matter provide advice?