I worked in IT security many years and decided to try out a little bug hunting. Wish I had seen this before I started. The companies running these things seem to have a system where even real bugs are downgraded as a default. I found it weird because it is detrimental to both their customers and their reputation but I have to face the facts. As an example: out of ten reports to the hacker1 platform 4 was okayed but all previously reported, one of them in early March but no patch so far and none of the previous reports disclosed. The remaining six was dismissed without any indication as of why except one. One of them the team said they were unable to reproduce the problem. This was just a low or informational leak of internal ip addresses and the POC was a simple dig command. Either they were to lazy to test it or they just didn't care and dismissed it anyway. But it makes you wonder how the rest of the findings were evaluated.

Use the companies that run their own programs, that's my piece of advice.