In your DMARC report, you set the aggrerate report email (rua) to security@netlify.com. security@netlify.com automatically creates a vulnerability report with HackOne. Now I get an E-Mail from Hackerone every day on how to continue with that report.
I don’t think the rua-E-Mail should redirect to hackone, I think it would be appropiate to remove this email from the dmarc entry, as other there are other emails with dmarcian listed.
Welcome to the Netlify Forums! Thank you so much for sharing this with us. I’ve reached out to our team who are responsible for our Hackerone scheme. We’ll get back to you!
Thanks for your patience on this. Our team has fixed this, and we apologize fore the spam that you were receiving. If you need help unsubscribing from HackOne emails, please let us know.