Hacker News new | ask | show | jobs
by tgsovlerkhgsel 3418 days ago
I had the exact opposite experience. I filed a vuln report for a company that promised guaranteed bug bounties, complete with a polished PoC. I received no response at all. I contacted HackerOne, who pinged the company a couple times, didn't get a response either, apologized to me and that was it.

The company remained on HackerOne and continued to promise bug bounties (and occasionally even paid some). Meanwhile, since the company hadn't responded to my report, I was not even able to disclose it within the platform.

I wrote it off as a learning experience and concluded that HackerOne was clearly focused on getting companies on board while not really caring about hackers. Business-wise, it's probably a clever practice (because getting companies on board is hard while finding hackers is easy), but I certainly am not very excited about them...

Edit: Said company is still on HackerOne, still offering their bug bounty, with links in the description now pointing to 404s since they changed their product line in the meantime. QED.
2 comments
martenmickos 3418 days ago
Sorry to hear this. Can you email us at support@hackerone.com or me marten@ so we can see what went wrong and where we dropped the ball. Thanks!
link
ddworken 3418 days ago
Wow, I'm definitely really surprised to hear that just because it is in such stark contrast to my own experience. If you don't mind me asking, how long ago was this? From my own experience, they're continually improving (they just added the response efficiency stats last may) and are putting a ton of effort into growing the hacker community.
link
tgsovlerkhgsel 3418 days ago
The original report was roughly a year ago. I've checked that the company is still on their web site with 404-ing signup links roughly 30 minutes ago. I see response efficiency stats, but I don't know how they handle still-open reports. If they only consider reports that have received a response, a company that resolves a couple of reports quickly while ignoring hundreds of others will still have great stats.

Support simply told me to self-close the report because the company seemed inactive, without removing the company from their web site.

I get that they can't force them to pay or triage all issues, but the very least they could do would be letting researchers publish reports if ignored for over 90 days, and remove companies that are inactive. However, HackerOne wants to be able to show off a huge customer list, so they keep them on board, and what the companies want is king, so they don't allow disclosure unless the company allows it. (They also mix bug bounties managed by them with other bug bounties, to make it seem like they have more customers than they really do.)

link
ddworken 3418 days ago
Wow, very surprised to hear that. I definitely recommend taking Marten up on his offer and sending him an email (this behavior—of the CEO reaching out to hackers—is much more in line with my own experiences with them).

Good luck with everything!

link