Hackerone is beholden to the company running the bug bounty program. The extent that they are involved heavily depends on what services they are providing (triage, etc). At the most basic level, they're just providing a platform for disclosure of vulnerabilities and some boilerplate legalese to prevent legal departments from sueing researchers.
In the vast majority of cases, companies deny requests for public disclosure. A researcher that discloses regardless of permission violates their agreement with hackerone and the company and exposes themselves to legal liability. In this case it seems the company agreed to public disclosure, which IMO should be applauded, even if their response was very slow.
I've personally had several four figure bugs unremediated for >1year, but I never thought it was hackerone's fault.
Author of the blog post here. Yes, I agree that it wasn't Hackerone's fault and they tried their best to help.
As for the violation of agreement with hackerone, I have read the policy many times before publishing the article and even asked Hackerone about this. The vulnerability is already fixed and I haven't heard from Harvest since April 2022 so there's no point asking them as it would seem like a threat rather than an actual disclosure. An excerpt from the agreement:
> Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases.
So, bug bounty programmes sprung up as a well to help coordinate disclosure and help researchers engage in responsible disclosure.
A key part of responsible disclosure is the disclosure part.
Often researchers would disclose unpatched issues to put weight on companies, even large companies, to actually patch issues.
One of the side-effects of programs like Hackerone is that actually doing your own responsible disclosure is now frowned upon (often to the point of legal problems).
But part of the social contract of absorbing coordinated disclosure should be an expectation that hackerone allows disclosing even unfixed issues.
Hackerone should not be "beholden" to companies. They make the rules. They could allow disclosure of issues if they wanted to make that a condition of the platform.
It's companies sitting on vulnerabilities that birthed the concept of "responsible disclosure" in the first place. If H1 etc are allowing it then there needs to be renaisance of the practice outside the platforms.
So, it basically sounds like we are missing a governed body consiting or researched with possibly tiered disclosure process (for severity) and the possibility to _maybe_ apply for an extension of disclosure. Would this ever happen?
I dealt with a HackerOne issue from the company side where the HackerOne participant was constantly violating HackerOne’s own rules: Breaking disclosure timelines, posting false social media statements about the bug, and even threatening our employees.
HackerOne didn’t care. No matter how many times we pointed out the person was violating their own rules, they claimed they couldn’t do anything.
It felt like a company that had been built up to steady state operations, then stripped down to a bare minimum operating crew where questions were answered by powerless support people.
This was a while ago. Maybe things have changed, but that was my impression at the time.
Of the three parties involved (HackerOne, the company, and the researcher finding the bug), the company has all of the leverage. If they feel like HackerOne is stepping on their toes and making decisions as to whether to "let" companies do things, those companies will just leave HackerOne and create an in-house solution.
HackerOne should require companies to put down 10-100k in an escrow account, that can be used to pay out security researchers on the discretion of HackerOne. Allowing companies to decide when and if a bounty is paid out doesn't make any sense in this case.
You assume that the reputation loss of leaving HackerOne is not an issue for the company.
It seems very reasonable to me that if the decision to leave HackerOne is prompted by conflict over responsible disclosure, then it is appropriate for HackerOne to disclose that fact. Including disclosing the bugs that the company was unwilling to responsibly disclose.
This puts HackerOne in the position of actually representing the interests of the hackers. And makes participating in HackerOne to be more than a meaningless publicity gesture for the companies.
