hanno, I have seen my fair share of strange reactions and rejections by bugbounty plattforms, but this is new: Rejected, because the report mentions a CVE. No, I have no idea what they are thinking. (I can only guess that they get lots of low quality reports from automated tools mentioning CVEs. But the idea that a security report that mentions a CVE is invalid is... whatever...)