Binance Fixes IP Whitelist Vulnerability but Disclosure Process Remains Flawed

A researcher reported a Binance API vulnerability where a listenKey created from a whitelisted IP could later be used from non-whitelisted IPs to access private user data streams, including balances and orders. Binance initially rejected the report as "Social Engineering" or "Not Applicable," but later fixed the issue by enforcing IP whitelisting for listenKey usage. The researcher retested the flaw in May 2026 and confirmed the fix, though the disclosure process for initially rejected but later resolved issues remains unclear. The post questions how bug bounty programs should handle reports that are dismissed but later addressed.