How you handle with Duplicates when submitting to responsible disclosure programs?

I would like to bring to discussion this topic because it covers some good points:

  • how much time a company fix vulnerabilities
  • do you think some companies trick researchers telling that its a “duplicate”
  • does duplicate applies on the 90 days policy?
  • should companies still reward/acknowledge duplicates?

Let me hear back from y’all

I have some strong opinions, but I am going to wait for other responses before I trash talk.

I’m thinking about writing a personal blog entry about it and I want more feedback around it. I have my own conclusions. Also it would be great if someone from legal would have time to ping this subject also.