|
|
|
|
|
|
by tptacek
3350 days ago
|
|
|
It is unlikely that there is a company in the US that has a security team that hasn't heard of H1. They're kind of a big deal. Since they're the ones handling the first contact in these situations, you can safely let their name be their problem; they know how to explain themselves. The more realistic concern here is that for these kinds of findings --- CSRFs in random web applications --- there simply isn't going to be a contact at the target company, and H1 isn't going to find one for you. That's why they point out they can't promise a contact. |
|
|
You'd be surprised. HackerOne is relatively new, just several years old. Does everyone know OWASP, almost certainly yes. Does everyone know the BSide community? No.
Anyway, H1 can act as a shield, in this case. On the other hand, companies like WhiteHat or Rapid7 are probably more well-known since they will probably spam your security team on a regular basis trying to sell their products.