[droopybuns]

Im pulling for the H1 gang. Bug bounties are a critical security component for any business: They are the only way to catch unknowns and known unknowns. If your business doesnt have some form of bounty program, you are whistling past grave yards.

Working with h1 is great because they can help you avoid running a program that creates problems during your launch, manage submissions, handle international payouts, etc. Cant say enough positive things about these folks.

[Kalium]

Bug bounties are critical! They're one of the few things that can seriously shift the economic incentives around vulnerabilities.

One of the issues I've run across is that virtually all the reports I'm getting are copypasta'd from from other H1 reports by people with marginal communications skills. Couple that with the way researchers are encouraged to find ways to report the same issue multiple times and the way some seem to expect $1k payouts for noting that a WP site doesn't use HSTS, and it becomes difficult to justify the time investment.

:(

[ddworken]

Just wanted to chime in and say that working with them as a hacker is also a great experience. They put a ton of emphasis on the community with publicly disclosed reports (https://hackerone.com/hacktivity/popular), statistics on response efficiency (e.g. https://hackerone.com/uber), and a great support/mediation team (https://support.hackerone.com/hc/en-us/articles/210782803-Ho...). In addition, they also have a really admirable stance on transparency and it seems like they always share as much information as they can (e.g. https://www.hackerone.com/blog/fair-and-transparent-hacker-i...).

I've personally learned a ton from working on bug bounties through HackerOne and am unbelievably excited to see them continue to grow.

[tgsovlerkhgsel]

I had the exact opposite experience. I filed a vuln report for a company that promised guaranteed bug bounties, complete with a polished PoC. I received no response at all. I contacted HackerOne, who pinged the company a couple times, didn't get a response either, apologized to me and that was it.

The company remained on HackerOne and continued to promise bug bounties (and occasionally even paid some). Meanwhile, since the company hadn't responded to my report, I was not even able to disclose it within the platform.

I wrote it off as a learning experience and concluded that HackerOne was clearly focused on getting companies on board while not really caring about hackers. Business-wise, it's probably a clever practice (because getting companies on board is hard while finding hackers is easy), but I certainly am not very excited about them...

Edit: Said company is still on HackerOne, still offering their bug bounty, with links in the description now pointing to 404s since they changed their product line in the meantime. QED.

[martenmickos]

Sorry to hear this. Can you email us at support@hackerone.com or me marten@ so we can see what went wrong and where we dropped the ball. Thanks!

[ddworken]

Wow, I'm definitely really surprised to hear that just because it is in such stark contrast to my own experience. If you don't mind me asking, how long ago was this? From my own experience, they're continually improving (they just added the response efficiency stats last may) and are putting a ton of effort into growing the hacker community.

[tgsovlerkhgsel]

The original report was roughly a year ago. I've checked that the company is still on their web site with 404-ing signup links roughly 30 minutes ago. I see response efficiency stats, but I don't know how they handle still-open reports. If they only consider reports that have received a response, a company that resolves a couple of reports quickly while ignoring hundreds of others will still have great stats.

Support simply told me to self-close the report because the company seemed inactive, without removing the company from their web site.

I get that they can't force them to pay or triage all issues, but the very least they could do would be letting researchers publish reports if ignored for over 90 days, and remove companies that are inactive. However, HackerOne wants to be able to show off a huge customer list, so they keep them on board, and what the companies want is king, so they don't allow disclosure unless the company allows it. (They also mix bug bounties managed by them with other bug bounties, to make it seem like they have more customers than they really do.)

[ddworken]

Wow, very surprised to hear that. I definitely recommend taking Marten up on his offer and sending him an email (this behavior—of the CEO reaching out to hackers—is much more in line with my own experiences with them).

Good luck with everything!

[sgslo]

I'm on the same boat; H1 is a fantastic service. Doesn't matter how many smart people you have in the room working on your product, its always possible for some flaw to slip through the cracks.

At my last startup a H1 researcher picked up a few critical flaws. The whole process was incredibly easy to work through. One tip for anyone trying out the service: be prompt when working with researchers. If they find some legitimate bug, pay them the bounty they deserve, and stay in constant contact.