That's why I stopped going to HackerOne. My first 3 reports were marked as duplicate. The last report on there was an auth bypass, essentially. They replied: "But you need to show what can be done beyond this". Like, wat? You want me to do some real damage before accepting it (hackerone managed)?
Those were my only reports on the platform before I gave up. Then I went to BugCrowd, submitted a report and it was accepted.