Mozilla has a very fair triage process, with good bounties and good responses.

GitLab has quite long triage and payment times, but overall the staff is responsive and fair.

The X team is quite receptive to valid vulnerabilities, though in some cases they end up marking real flaws as 'by design', even though their communication is transparent about the reason. In my experience, they have also paid a small bonus when the issue was valid but already known internally.

Vercel OSS currently has quite long triage times and medium bounties, with a broad scope.

Snapchat's triage basically provides meaningless excuses to invalidate vulnerabilities they don't want to fix. The program is unfair and misleading overall. #scam 💀 #wontfix 🛑

Cluely has recent public criticism around payment follow-through after a reported issue was fixed. * Internet-sourced review.

Cluely looks like a bad ROI target because public feedback claims the team patched a report without honoring the bounty. * Internet-sourced review.

Chrome remains high-quality for deep browser research, but changing reward rules can reduce certainty for non-top-tier bugs. * Internet-sourced review.

Google VRP has newer complaints around response/payment expectations and dynamic reward decisions, especially for non-top-tier reports. * Internet-sourced review.

Chrome/Google VRP feedback is generally strong, though recent reward-table changes make mid-tier expectations less predictable. * Internet-sourced review.

Meta has recent public feedback from researchers still waiting after weeks or months, making it look like a poor ROI target. * Internet-sourced review.

Trendyol appears in public complaints about reports being dismissed and later fixed, making the researcher experience look risky. * Internet-sourced review.

Mozilla has at least some mixed recent comments, so it should be treated as strong but not perfect. * Internet-sourced review.

Snapchat has public positive feedback from a researcher who reported multiple IDORs and received a meaningful payout. * Internet-sourced review.

Microsoft MSRC also has public criticism around quiet fixes and weak attribution, so the average experience stays mixed. * Internet-sourced review.

Microsoft MSRC has some positive recent feedback from researchers who say their submissions were handled well. * Internet-sourced review.

Hathor Network has public criticism around scope interpretation, silent fixes, and lack of bounty or credit. * Internet-sourced review.

Mozilla is publicly compared favorably for quick professional response and paying good bounties on browser reports. * Internet-sourced review.

GitLab is mentioned as a company that appears to care about researcher reports, though the public signal is not unlimited. * Internet-sourced review.

Google VRP is often contrasted positively against silent-fix programs, but public threads still mention waiting for panel outcomes and variable rewards. * Internet-sourced review.

Meta Bug Bounty has public criticism around slow handling, silent fixes, and reports closed without adequate impact recognition. * Internet-sourced review.

WordPress is visible and useful for practice, but low public reward expectations make it a weak ROI target. * Internet-sourced review.

Snapchat still looks inconsistent overall: some payouts exist, but the practical community reputation is not reliably positive. * Internet-sourced review.

Meta shows repeated public complaints about long waits, silent fixes, and low confidence that valid reports will be handled fairly. * Internet-sourced review.

Okta has mixed public feedback where initial triage friction can be corrected through escalation and direct engagement. * Internet-sourced review.

GitHub is viewed as a serious mature program with public activity, but strong competition means only high-quality reports are worth the time. * Internet-sourced review.

Microsoft MSRC has split public feedback, with both resolved payouts and complaints about delays or silent fixes. * Internet-sourced review.

Shopify is useful to study, but public discussion shows edge-case findings may be hard to classify as bounty-worthy. * Internet-sourced review.

Google VRP feedback includes researchers waiting on panel decisions and asking how long payout can take, so practical timing can be uneven. * Internet-sourced review.

Celo has public governance discussion around settling outstanding bounty rewards and preserving researcher trust. * Internet-sourced review.

Cloudflare is a hardened target where useful findings need depth; public chatter suggests naive testing burns time quickly. * Internet-sourced review.

OpenAI has public complaints around ghosting and transparency after valid-looking reports, despite having a visible bounty program. * Internet-sourced review.

Roblox appears in public stories around unresolved or ghosted early reports, so the practical researcher experience looks weak. * Internet-sourced review.

OpenAI has mixed public feedback, with positive program visibility but recurring disagreement around impact assessment. * Internet-sourced review.

Shopify remains a useful public target with many public learning references, though competition makes ROI uneven. * Internet-sourced review.

Mozilla has strong public feedback for quick professional handling and reliable bounty payment. * Internet-sourced review.

Valve has broadly positive public feedback around triage, communication, and reward handling. * Internet-sourced review.

Yahoo has positive public feedback around triage quality, communication, and bounty handling. * Internet-sourced review.

Google VRP has strong public reputation, but researchers still ask about payout timing and panel decisions, so payment certainty is not perfect. * Internet-sourced review.

Snapchat has some public praise, but broader researcher feedback is mixed enough that the practical experience looks unreliable. * Internet-sourced review.

Amazon Devices has public feedback describing inconsistent communication and low-touch handling after submissions. * Internet-sourced review.

Coinbase is often treated as a serious high-value target, but researchers should expect heavy competition and deep validation needs. * Internet-sourced review.

Coinbase can be worth targeting, but public advice frames it as difficult and better suited to persistent, experienced hunters. * Internet-sourced review.

Aave has a major public Immunefi program, but public discussion also questions whether some ecosystem bounty caps match systemic impact. * Internet-sourced review.

GitLab has strong public feedback for engagement on high-impact reports and clear reward handling. * Internet-sourced review.

Uber has a mature public program, but community sentiment treats major public programs as crowded and inconsistent for ROI. * Internet-sourced review.

OpenAI appears in reports of fast fixes followed by slow customer-side acknowledgement, which weakens trust in the process. * Internet-sourced review.

Atlassian has public criticism around triage escalation, minimal-impact closures, and limited feedback clarity. * Internet-sourced review.