(no title)

I try to go into these things with zero expectations. Having a mediating party involved from the start is a bit like OP immediately CC'ing the CERT: extra legal steps in the disclosure process. Mediating parties are usually a pain to work with, and if it's deemed "out of scope" then they typically refuse to even notify the vulnerable party (or acknowledge to you that it hasn't been disclosed). I don't want a pay day, I just want them to fix their damn bug, but there's no way to report it besides through this middle person. Literally every time I've had to use a reporting procedure (like HackerOne) has resulted in tone-deaf responses from the company or complete gatekeeping. All of those bugs exist to this day. Every time I can email a human directly, it gets fixed, and in some occasions they send a thank-you like some swag and chocolates, a t-shirt, something

Based on what I hear in the community, my HackerOne experiences have been outliers, but it might still be more effective (if you're not looking to collect bounty money) to talk to organizations directly where possible and avoid the ones that use HackerOne or another mediation party