alt Hacker NewsI've been on Hackerone for almost 8 years and I think the problem with this is that too many companies won't pay for legitimate bugs, even when you have a working exploit.
I had one critical bug take 3 years to get a pay out. I had a full walkthrough with videos and report. The company kept stalling and at one point told me that because they completely had the app remade, they weren't going to pay me anything.
Hackerone doesn't really protect the researcher either. I was told multiple times that there was 'nothing they could do'.
I eventually got paid, but this is pretty normal behavior with regards to bug bounty. Too many companies use it for free security work.
I do think HackerOne is problematic, in that it pushes companies that don't really understand bug bounties to stand up bounty programs without a clear reason. If you're doing a serious bounty, your incentive is to pay out. But a lot of companies do these bounties because they just think they're supposed to.
Most companies should not do bug bounties.