I work with HackerOne as an employee of a company with a bug bounty program. We're pretty sensitive about pissing off submitters. We're pretty strict about honoring our scope. Even if we know about a vulnerability, if we haven't specifically excluded it then we usually pay out (except duplicates where we have already paid out for it). I've seen many submitters respond with something along the lines of "thanks for the quick payout, I'm going to spend more time on your product".
We want submitters to spend time finding issues for us. Thats why we set up the program. It's important to our brand that we don't have security issues and we recognize that a few thousand dollar payout to HackerOne is much cheaper than the potential legal bill if we were compromised.
We want submitters to spend time finding issues for us. Thats why we set up the program. It's important to our brand that we don't have security issues and we recognize that a few thousand dollar payout to HackerOne is much cheaper than the potential legal bill if we were compromised.