I've seen several stories about how HackerOne doesn't pay out bug bounties when bugs are reported. I, for one, wouldn't submit bugs/PoC to them, and I would actively, publically, and immediately disclose bugs that affect anybody who is a client of HackerOne.
HackerOne, itself, is pretty generous about reported bugs. (As in, you reported an issue in the website hackerone.com.) They have to be, because their existence depends on everyone thinking bug bounty platforms are a good idea -- it's part of their way of encouraging people to hunt for bug bounties in general.
Payouts for bugs in other products are determined by those companies, not by H1.
It is possible to escalate your dispute with a company to H1 itself. They'll review the report and the company's policy, and they may contact the triager or the company to try to resolve any questions.
I wouldn't do that as a regular thing; you're pretty well guaranteed to piss off everyone on the company's side of things.
I should note that I've personally seen probably in excess of $100,000 paid out through H1; the payouts do happen.
That sounds like it's a payout lottery. H1 can't force its customers to pay. It's acting as a go-between on behalf of its customer, the company offering the bounty, not as an neuteal arbiter when there is a dispute.
Perhaps I would take them seriously if there was an escrow account companies paid into and was released to the reporting party when a plurality of multiple, disinterested parties agreed that the report was valid.
HackerOne can force their customers to pay, that's the entire point of their "guaranteed bounty" program, that's it's a guaranteed bounty!
Even with a guaranteed bounty and a critical security vulnerability, HackerOne will punt the entire thing to one of their Portswigger groupies for collection and then won't disclose the details about the discovered flaw that supposedly they found prior to your submission.
Those guys are terrible, worthless product offering unless you are one of their clients getting free penetration testing and vulnerability analysis services.
Bah no they aren't, HackerOne has a small collective of security testers that they consistently make awards to, over and over again. If you submit a critical vulnerability, magically one of HackerOne's top ranked folk end up getting the award, AND HackerOne won't share any aspect of that triage information with you to actually prove that the vulnerability you submitted was legitimately discovered prior to your submission.
Junk company, waste of time and effort which results in all of their clients getting 95% free security analysis services.
> Sadly you can't feed your children from media drama.
By the way, if the problem is "how do I reliably get money from bug bounties" (as opposed to "I found a cool bug, what do I do with it") --
I strongly recommend finding a product with some kind of barrier to entry. Most researchers on these platforms are very low-effort. A gigantic, complicated product, like Workday, or even better a gigantic, complicated product that requires payment (!), like Slack for Enterprise, will usually not be getting very many reports. That product is hard to understand. But that means that -- once you've put in the effort to understand the product -- there's a lot more low-hanging fruit, and the company is likely to treat researchers better because of the lower report volume.
The market for a freelance security researcher out there is hard, no doubt, but disclosing bugs publically is an addition to your resume, akin to any other professional development you do. It demonstrates you can do the work and it shows the skills you have.
Suing someone for disclosing an actual bug is a long term losing proposition for any company in a competitive industry.
The screenshot in #2 does show the H1 Staff screwing up -- @cybernews requests disclosure and gets a response saying "you may request disclosure if you would like this reviewed, using the drop down menu" (which @cybernews has already done).
@cybernews' behavior in that thread isn't ideal, but they're more in the right than in the wrong on that one, judging by the screenshot.
Legitimately interested in your explanation as to how this specific research would be a crime absent contact with HackerOne. Please cite statute. I'm not saying you're wrong - simply asking you to back up your claim with evidence.
I'm sorry, won't do that, don't know why. I'm pretty sure there something like computer abuse act. If you don't follow their rules, how would it be legal to hack on their servers?
> Sadly you can't feed your children from media drama.
So it seems like the real answer in these cases is selling the exploit on the "dark web". I mean why not? The vendor doesn't seem to care about security anyway.
"Dark web" for things that are not relevant to Five Eyes and NSA when they are relevant. At least in those cases, with good opsec for the "dark web", you can be reasonably sure the company who made the product can't retaliate against you.
This is what I was thinking. The only stories I ever see about HackerOne are how horrible they are. As a non-sec dev, I only ever get the feeling that bounty hunting for profitability is the same as trying to sell something on eBay. You're eventually going to get scammed and you have to eat the loss.
i think you might want to take a breath, rethink that position and not let your anger cause you to do something stupid. if you disclose a vulnerability, the company HAS EVERY RIGHT to sue you. every security researcher _thinks_ that they are protected by some unwritten good Samaritan law, when in fact, you are hacking and that carries financial and criminal penalties. this is why these bug bounties and established ways of notifying the company of the vulnerabilities exists. you stepping outside of these established channels can be VERY costly. imagine in a moment of unclear thinking and childish behavior, you do something that could cost you your livelihood and financial well-being and also, maybe, get you thrown in jail.
> not let your anger cause you to do something stupid
Note: I didn't say that I would do this for every company. Just ones that use HackerOne. They have decided to abdicate their responsibility for their security vunerability reporting, and I feel completely justified in dumping info on their vulnerabilities.
Releasing the details of a vulnerability is not stupid. The users of the software/service deserve to know the data/service they're using is unsafe when a vendor refuses to act on a valid security issue
>If you disclose a vulnerability, the company HAS EVERY RIGHT to sue you.
You don't need the right to file a lawsuit to file a lawsuit. You just file the lawsuit. Now, you need an actual, actionable claim to prevail a a plaintiff in a lawsuit. Whether such a thing exists in practice is something we leave to lawyers to argue about and judges/juries to decide.
If your company is in a competitive industry and I release the details of a vunerability in your software and you sue me then that vulnerability and lawsuit becomes marketing item number one for all of your competitors.
>this is why these bug bounties and established ways of notifying the company of the vulnerabilities exists
Arguably why they exist. In reality, they tend to exist to give people an incentive to not dump the vuln details on the black market, embargo bugs so customers don't leave, and attempt to maintain a good relationship with security researchers. They do not grant immunity from being sued or somehow grant the legal right for security researchers to do their work as your comment seems to indicate.
Your post reads like propaganda from a bug bounty organization. I'm not saying that you're shilling, just that you're misinformed. In the US it is generally legal to conduct security research. In the US it is legal to communicate the results of that research publicly so long as you have not agreed in some contract to not do so.
Where did you get the idea that legitimate security research is a crime?
i'm not going to argue with you. if your actions and attitude get you in trouble, it won't affect me in the least nor do i care. so if you want to continue to be self-righteous and say and do stupid things, that's on you.
Insane comment. As a customer of these companies, this attitude is borderline criminal and a big cause of the repeated data breaches. Why should I trust any company that sues security researchers for disclosure?
