Hackerone Bug bounty payout?
Not sure where to ask this question. But I found a server with a lot of customer data exposed. I reported it through hackerone. While it was not in the companies scoping docs , it was a company they owned. They fixed the issue and closed the ticket. But I do not see any payout associated with this finding. Should I ask in the thread about a payout? Not sure what my next steps are.
Did you have any proof that they will pay for finding bugs ? You should have informed about that and asked if they are willing to pay. You just told them and they fixed it.
Turns out no. “Please note, your disclosure will not be compensated by - and you are under no obligation to identify and report potential vulnerabilities to -.”
You probably won't be paid so your next best option is to leverage it into some kind of contract with the company for additional pentesting.
Turns out they don’t pay any bounties at all. Total waste of time.
I'm telling you, dude/dudette... Track down whoever is in charge of infosec at that company and offer your services.
I’ve got a full time job, I don’t need it. Just doing it for fun and profit in my spare time. But thanks for the advice. Not sure why a fortune 100 company does business like this.
You should have sold the data