"It's by design" is the phrase most bug bounty hunters see in their nightmares. It means the vulnerability they reported is (actually) a feature working as intended, and therefore it won't be fixed and there will be no bounty payment.
Sometimes this is obvious, but sometimes it's a differing of opinion between the researcher and the product group engineers. In rare occasions, after the researcher has published their findings, public opinion forces the product group to reassess the report.
In this talk, Dr. Nestori Syynimaa (SecureWorks) shares some "by design" cases from his bug bounty career as well as some from his fellow researchers. The cases are chosen to demonstrate the scale of different outcomes resulting from "by design" rulings. The purpose of the talk is to foster dialogue between engineers and researchers to keep us all protected.