Google told researcher 'Nice catch!' Then denied bug bounty for flaw it still hasn't fixed

Security researcher Justin O'Leary reported a high-priority privilege-escalation flaw called ConfigConfusion in Google's Config Connector. Although Google initially praised the discovery with a 'Nice catch!' and rated the bug as high-severity, the company later denied the bug bounty payout. Google now claims the behavior is working as intended, meaning no fix will be implemented. Despite this denial, the bug report remains marked as high-priority and accepted within Google's internal systems.