BOOK THIS SPACE FOR AD
ARTICLE ADMy name is Abdul Rehman Parkar, and I am a security researcher.
I also participate in bug bounty programs on platforms like Bugcrowd, HackerOne, and others.
In today’s write-up, I will share my experience with HackerOne’s support service and mediation process.
I’ve been hunting on HackerOne’s programs for quite some time and have received several bug bounties. Up until now, my experience with HackerOne was quite good.
Then, one day, I submitted a 2FA bypass vulnerability in a private program. I reported it even though physical access was out of scope for that program because it was a valid authentication issue, and authentication bypass was a focus area for them.
However, the HackerOne triager closed the report as “Informative,” saying that physical access was required — even after I explained the impact.
This was the first time something like this happened, and I assumed it was closed because it was out of scope. So, I decided to use HackerOne’s support feature, called “mediation,” which is meant for situations where you disagree with the report’s resolution or need further assistance. So, I filed a mediation request.