Comment by cowsup
3 years ago
Of the three parties involved (HackerOne, the company, and the researcher finding the bug), the company has all of the leverage. If they feel like HackerOne is stepping on their toes and making decisions as to whether to "let" companies do things, those companies will just leave HackerOne and create an in-house solution.
HackerOne should require companies to put down 10-100k in an escrow account, that can be used to pay out security researchers on the discretion of HackerOne. Allowing companies to decide when and if a bounty is paid out doesn't make any sense in this case.
Companies just don't use HackerOne in that case and HackerOne is dead. Which is why they are beholden to the companies in question
You assume that the reputation loss of leaving HackerOne is not an issue for the company.
It seems very reasonable to me that if the decision to leave HackerOne is prompted by conflict over responsible disclosure, then it is appropriate for HackerOne to disclose that fact. Including disclosing the bugs that the company was unwilling to responsibly disclose.
This puts HackerOne in the position of actually representing the interests of the hackers. And makes participating in HackerOne to be more than a meaningless publicity gesture for the companies.