top | item 22405863

(no title)

That sounds like it's a payout lottery. H1 can't force its customers to pay. It's acting as a go-between on behalf of its customer, the company offering the bounty, not as an neuteal arbiter when there is a dispute.

Perhaps I would take them seriously if there was an escrow account companies paid into and was released to the reporting party when a plurality of multiple, disinterested parties agreed that the report was valid.

discuss

WUHANCLAN|6 years ago

HackerOne can force their customers to pay, that's the entire point of their "guaranteed bounty" program, that's it's a guaranteed bounty!

Even with a guaranteed bounty and a critical security vulnerability, HackerOne will punt the entire thing to one of their Portswigger groupies for collection and then won't disclose the details about the discovered flaw that supposedly they found prior to your submission.

Those guys are terrible, worthless product offering unless you are one of their clients getting free penetration testing and vulnerability analysis services.