I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
Companies will routinely downgrade the severity of your exploit so they can pay you less.