[darkwater]

Isn't that basically HackerOne?

[Avamander]

No, HackerOne gets paid by the companies, so they're heavily incentivized to work for their benefit.

I've had three really bad experiences with unskilled H1 triagers that the next vuln I find from a company that uses H1 will go instantly public. I'm never going to spend that much effort again, to get a triager that would actually bother to triage.

[_cenw]

except there you spend several months walking an underpaid person in india who can barely use a shell though reproduction steps, get a confirm after all that work and the vendor still ignores you

[xmodem]

HackerOne, BugCrowd, et al don't appear to make any serious effort to vet reports themselves.

[hashstring]

Is that true? I thought you could pay for a H1 service that basically had professionals triaging the vulnerabilities and only pass on the correct ones?

[ycombinatrix]

Our company pays for one of these third party triage services for H1.

The quality is seriously lacking. They have dismissed many valid findings.

[hashstring]

Ah thank you for the info!

From what I understood, the service is also (very) expensive. Wild.