Sorry, but you don't understand what you are looking at.
All of HackerOne's information that you cite is about them being PCI-DSS-compliant or having undergone a SOC2 Type 2 audit. Nothing you link to identifies them as a PCI-DSS auditing company. They are not.
And the "scans" the PCI-DSS standards refers to are standard pen-test and external vulnerability scans, usually conducted by an accounting company who will certify the scan results. They are for known vulnerabilities, things like the version of Apache you are on, etc. None of the reports sent via HackerOne would qualify as a "scan" under PCI-DSS.
> All of HackerOne's information that you cite is about them being PCI-DSS-compliant or having undergone a SOC2 Type 2 audit. Nothing you link to identifies them as a PCI-DSS auditing company. They are not.
Please read the page again. They specifically say you can achieve compliance certification with HackerOne.
You achieve that compliance by paying HackerOne, as a company, to perform a compliance scan. This does not mean any swinging dick that reports a vulnerability through HackerOne is causing PayPal to fall out of compliance. These scans are planned well in advance and are part of a normal audit cycle. (edit: typo)
On top of that, there's not really any legal issues for being non-compliant, as has been pointed out elsewhere in this thread.
As someone who deals with PCI-DSS compliance in fintech land on a daily basis this thread is showing me there are a lot of people who like to crow on about stuff they don't know a thing about.
We read the page, and even if your claim holds, it is still irrelevant because whatever you quoted is not the same as being a PCI-DSS approved scanning vendor. And even if it was, HackerOne did not perform any scans.
HackerOne offering PCI-DSS approved auditor approved challenges gets you nowhere towards the claims you made in your first comment.
To review:
1. HackerOne would have to be a PCI DSS Approved Scanning Vendor - they are not AFAICT, neither is the CyberNews research team that did the scan AFAICT.
2. HackerOne would have to have conducted the scan - they did not. The CyberNews research team did.
3. The scan that HackerOne did would have to qualify as a PCI-DSS external scan - which ... do you get the part that HackerOne did not do the scan here or not? And nowhere did the CyberNews research team claim they performed a PCI-DSS external scan.
Please at least try to make an argument for your claims
The page only says that they do external security scans that other companies who do the actual certification recognize as valid scans. They certify no one themselves.
Further, that has absolutely nothing to do with anyone reporting vulnerabilities through HackerOne. That is not a scan by the definition of PCI-DSS, the SOC2 trust services criteria, or any other security framework you care to name.
All of HackerOne's information that you cite is about them being PCI-DSS-compliant or having undergone a SOC2 Type 2 audit. Nothing you link to identifies them as a PCI-DSS auditing company. They are not.
And the "scans" the PCI-DSS standards refers to are standard pen-test and external vulnerability scans, usually conducted by an accounting company who will certify the scan results. They are for known vulnerabilities, things like the version of Apache you are on, etc. None of the reports sent via HackerOne would qualify as a "scan" under PCI-DSS.