undefined | Better HN

0 pointsdarkwater10mo ago0 comments

Isn't that basically HackerOne?

0 comments

No, HackerOne gets paid by the companies, so they're heavily incentivized to work for their benefit.

I've had three really bad experiences with unskilled H1 triagers that the next vuln I find from a company that uses H1 will go instantly public. I'm never going to spend that much effort again, to get a triager that would actually bother to triage.

asmor10mo ago

except there you spend several months walking an underpaid person in india who can barely use a shell though reproduction steps, get a confirm after all that work and the vendor still ignores you

xmodem10mo ago

HackerOne, BugCrowd, et al don't appear to make any serious effort to vet reports themselves.

hashstring10mo ago

Is that true? I thought you could pay for a H1 service that basically had professionals triaging the vulnerabilities and only pass on the correct ones?

ycombinatrix10mo ago

Our company pays for one of these third party triage services for H1.

The quality is seriously lacking. They have dismissed many valid findings.

1 more reply

j / k navigate · click thread line to collapse