HackerOne is the worst bug bounty company and cannot be considered a true intermediary at all it’s essentially no different from doing bug bounty externally without any platform acting as a mediator.
HackerOne is one of the worst bug bounty platforms. After making more than $5,000 in earnings from this platform, I’m speaking based on my own experience. In the private program “mondelez-bbp,” the first thing I did was submit a report about a business logic bug, and they responded with a completely useless reply: “Thank you for your submission! Your report has passed the preliminary analyst review. Please note that this does not confirm validation — the status may change after further review. Next in workflow is for our team to validate and reproduce the issue, evaluating its accuracy and security impact. You will be notified when the team has reviewed and made an assessment on your report. We’ll keep you updated as the process moves forward. Have a great day! Thanks,” and even if the company closes the bug, HackerOne will not stand by your side or acknowledge that it previously existed before being fixed. The bug was that I could spend $60 and receive one gift, but I captured the request and modified it to include other gifts, and it worked I was able to receive more than one gifts instead of just one. After that, they said they were discussing it with the program, then suddenly marked my report as duplicated with another report that had a completely different title and issue, and that report was even closed as “informational” in the end, which proves it wasn’t the same bug. After that, whenever I tried to ask or discuss the situation, they completely ignored me, which shows disrespect and feels like a scam. I even submitted a mediation request, but neither the platform nor the company responded at all, and after some time I found that the bug had been fixed, so if it was really “informational,” why did they fix it in the first place?
HackerOne is one of the worst bug bounty platforms. After making more than $5,000 in earnings from this platform, I’m speaking based on my own experience. In the private program “mondelez-bbp,” the first thing I did was submit a report about a business logic bug. They responded with this completely useless reply:
Thank you for your submission!
Your report has passed the preliminary analyst review. Please note that this does not confirm validation the status may change after further review.
Next in workflow is for our team to validate and reproduce the issue, evaluating its accuracy and security impact. You will be notified when the team has reviewed and made an assessment on your report.
We’ll keep you updated as the process moves forward. Have a great day!
Thanks,
Even if the company closes the bug, HackerOne will not stand by your side or acknowledge that it previously existed before being fixed.
The bug was that I could spend $60 and receive one gift. I captured the request and modified it to include other gifts, and it worked — I was able to receive 5 gifts instead of just one.
After that, they told me they were discussing it with the program, then suddenly marked my report as duplicated with another report that had a completely different title and issue. That other report was even closed as “informational” in the end, which proves it wasn’t the same bug.
After that, whenever I tried to ask or discuss the situation, they completely ignored me — which shows disrespect and feels like a scam. I even submitted a mediation request, but neither the platform nor the company responded at all.
After some time, I found that the bug had been fixed. So if it was really “informational,” why did they fix it in the first place?