Hackerone is a joke, anyway. Organizations will just respond with "it's a feature, not a bug" to get out of any bounty. I once reported that you could log on to certain PP accounts with just username and CC number, bypassing configured 2FA, and allowing to wipe the 2FA. Guess the response. Lo and behold, it's fixed now.