Bug bounty platforms
> Bug bounty platforms also give clear criteria over the work product that they will pay for – which can be taken as directing work. And they pay people for their time and skills, as well as repeatedly refer to the “work” that the people that sign up to their platforms perform.
From my understanding as someone who has used HackerOne to receive bug reports on behalf of a company, it's the company whose products are being tested that sets the critera over what work will be paid for, and which decides and makes the payments (bounties) to hackers. AFAICT the platform merely facilitates the communications and transactions.
That said, HackerOne do offer paid managed accounts to companies, so it's possible this could affect their business relationship with those they contract directly to manage and triage those accounts, but they're not the ones doing the pen testing.