Bugbop with spider-like logo

Triager Guide

Learn how to effectively triage and manage vulnerability reports on Bugbop.

← Back to Documentation

Getting Started as a Triager

As a Triager, your role is to evaluate and responding to vulnerability Bug Reports. This guide will help you get started with your responsibilities. This guide explains the typical workflow for the role but this may vary per Program.

Step 1: Getting Invited

As a Triager, your role begins by getting invited to a program by the Owner, an Admin, or another Triager. This process is covered in the "Setting Up Your Team" section of the Program Manager guide.

Step 2: Understanding Your Dashboard

Your dashboard provides an overview of issues that may require your attention:

  • Pending Invites: Invites to any Program that you haven't accepted yet.
  • Action Required: Bug Reports that are either in the New or Open state. New bugs should be triaged.
  • Unread Notifications: Notifications that you have received but haven't either clicked on or visited the relevant Program, Bug Report, etc.

Step 3: Receiving Notifications

Your workflow will typically begin by receiving a notification. If you haven’t turned them off (and they don’t go to spam), you’ll receive email notifications for events happening in your Programs.

It's also possible to set up Webhooks to integrate with other systems to improve your workflow such as n8n, Slack, etc.

Step 4: Evaluating Reports

Note: The following steps can be assisted by enabling Bugbop's AI Triage .

When a new report comes in:

  1. Review the report details, including steps to reproduce
  2. Verify the report is in scope for your program
  3. Attempt to reproduce the issue using the provided instructions
  4. Assess severity based on your program's guidelines
  5. Check for duplicates against existing reports

Step 5: Communicating with Researchers

Clear communication is essential:

  • Use the "Add Comment" feature to ask questions or provide updates
  • Be specific about any additional information you need
  • Provide regular status updates, especially for complex issues
  • Maintain a professional tone, even for invalid reports

Step 6: Changing Report Status

Update the report status as you process it:

  • Open: The bug has been verified and can now to be prioritized by the remediation team.
  • Needs More Info: When you require additional details from the Bug Hunter.
  • Duplicate: When the issue has been previously reported. You will need to select which report it is a duplicate of.
  • Not Applicable: For out-of-scope findings or non-issues.

Step 7: Recommending Bounties

If your program offers monetary rewards:

  1. Review your program's bounty structure
  2. Consider the report's quality, severity, and impact
  3. Wait for program admin approval before finalizing

Next Steps

As you gain experience:

  • Learn common vulnerability patterns to speed up verification
  • Develop templates for standard responses
  • Build relationships with regular contributors
  • Review closed reports to improve your triaging skills
  • Share knowledge with your team to improve overall security