Organizations pay an advanced deposit to HackerOne which should cover about 3 month's worth of predicted bounty spend. HackerOne will then use this deposit to remit payments to hackers once the Security team has set an award for a bounty. Typical time to remit payment to hackers is 2-7 days. As part of this process, HackerOne collects the appropriate tax forms to remove that operational headache for organizations.
The organization will receive a single invoice at the beginning of each month with all bounty activity and service fees from the previous month. This amount will be deducted each month from the advanced deposit, and when funds are running low, another advanced deposit will be requested.
With HackerOne taking care of payments, you don’t have to worry about compliance, taxation or figuring out how to pay a hacker in, say, Siberia who doesn’t have a mailing address.