When a bug has been submitted, and the company is trying to figure out how much to reward?

The companies that consistently publish their bugs have a good track record of giving appropriate bounties. I don't see a clear incentive for a company that doesn't allow their bugs to be published, to be anything other than stingy. Computer security is a cost center for a business, and the folks managing the bug bounty program have a clear incentive to minimize their costs, while maximizing the bugs found.

I think a potential solution would be increased bug disclosure on platforms like Hackerone. Currently, a company has to agree to disclose the details, and most never do. Openness allows hackers to vote with their feet, and spend more time on the companies that are easier to work with, both in bounties rewarded, and easiness of the reporting process.

I've read this a couple times and don't really follow it. In reality, there is a tacit consensus scale for vulnerabilities by severity; a real XSS, for instance, in a platform where XSS isn't somehow sev:crit like it is on a large social network, is worth "hundreds" of dollars. Most companies have a scale worked out ahead of time. HackerOne will give you advice on scales if you want to take it.

Whatever the scale is, companies have no incentive to avoid paying them, because even at the high end of the scale the amounts are immaterial. Remember, we're talking about H1 bounties here, not the Apple and Google platform bounties, which are totally different animals.

The real risk companies that run bounties face is that their programs won't generate any real bugs at all, but will absorb costs from both the platform and all the nonsense bugs they have to triage. New serious bounties are good news, not bad news, for most bounty programs.

(I've managed several, continuing until recently; before I did, I went around talking to people who ran them to get the lay of the land. I'm pretty confident in my answers here.)

Speaking as a former client of H1: exactly. Our problem was how to get more critical reports to throw money at, not how best to chisel the hackers. We weren’t able to sufficiently motivate hackers to dig into the places we felt deserved better coverage, but would have happily paid for critical bugs in those areas if anyone submitted them.

I agree with the points you made.

The issues I've personally experienced have been with impact, for bugs outside of the very traditional XSS/SQLI/RCE. I've gotten things along the lines of "yes, our _______ is seriously broken, but it's not/barely a security issue," with an explanation that stretches plausibility. Maybe I'm full of crap, maybe they are.

I'm sure those running bounty programs would have all sorts of folks contesting things that aren't actually real bugs. I think the only real good solution is increased visibility on all sides. That way each of our technical arguments can stand on their merits, whoever is full of crap can get called on it, and others looking for bugs can choose where to invest their time (glossing over that solution missing a bunch of thorny implementation details, I'm sure).

I'm not going to name the billion dollar company on HackerOne I have an issue with, but they routinely downplay bug reports, take over 1 year to deal with some of them (if ever). And just recently one report HackerOne screeners closed as being out of scope blew up in their face as it was exploited in the wild, and they only fixed it only after numerous public complaints.

I've heard rumors of people selling exploits for this company on the black market for more money now.

A company can ignore a report, then get the reporter banned on HackerOne if the reporter decides to no longer follow the HackerOne guidelines and publicly discloses a vulnerability. This gives companies an opportunity to turn HackerOne into a black hole where they get to not pay any bounties and simultaneously keep the vulnerability secret.

I don't believe any serious company does this. There are lots more companies running bounties than I could ever talk to, but I can't even fathom how the cost/benefit of this is supposed to work. It's a negligible amount of money, and a non-negligible reputation risk. I find it a lot more likely that the people who feel this happened to them either reported out-of-scope bugs, or collided with someone else.