[ddworken]

Wow, I'm definitely really surprised to hear that just because it is in such stark contrast to my own experience. If you don't mind me asking, how long ago was this? From my own experience, they're continually improving (they just added the response efficiency stats last may) and are putting a ton of effort into growing the hacker community.

[tgsovlerkhgsel]

The original report was roughly a year ago. I've checked that the company is still on their web site with 404-ing signup links roughly 30 minutes ago. I see response efficiency stats, but I don't know how they handle still-open reports. If they only consider reports that have received a response, a company that resolves a couple of reports quickly while ignoring hundreds of others will still have great stats.

Support simply told me to self-close the report because the company seemed inactive, without removing the company from their web site.

I get that they can't force them to pay or triage all issues, but the very least they could do would be letting researchers publish reports if ignored for over 90 days, and remove companies that are inactive. However, HackerOne wants to be able to show off a huge customer list, so they keep them on board, and what the companies want is king, so they don't allow disclosure unless the company allows it. (They also mix bug bounties managed by them with other bug bounties, to make it seem like they have more customers than they really do.)

[ddworken]

Wow, very surprised to hear that. I definitely recommend taking Marten up on his offer and sending him an email (this behavior—of the CEO reaching out to hackers—is much more in line with my own experiences with them).

Good luck with everything!