Bugbop with spider-like logo

Triaging Bug Reports

Severity levels, communication guidelines, and response templates

← Back to Documentation
Related Pages

The Triage Process

Quick reference for severity levels, communication, and response templates. For the full walkthrough, see the Triager Guide.

Important: Try to respond to reports within 24-48 hours, even if it's just "thanks, we're looking into it".

Initial Assessment

Scope Validation

  • Verify the affected asset is listed in your program scope
  • Check whether the vulnerability type is excluded in your program policy
  • If a report is technically out-of-scope but still valuable, consider making an exception

Validity Check

  • Does it describe a security vulnerability (not a feature request or UX issue)?
  • Is there enough information to reproduce the issue?
  • Does it affect the confidentiality, integrity, or availability of your systems or data?

Duplicates

  • Search existing reports for similar vulnerabilities
  • Compare technical details, not just vulnerability categories
  • If it's a duplicate but with additional attack vectors or impact, consider treating it as a unique finding

Severity Evaluation

Bugbop uses four severity levels. Think about how bad it would be if exploited, how easy it is to pull off, and how important the affected system is.

Severity Levels

  • Critical: Full system compromise, data breach, or remote code execution. Easily exploitable with no authentication required. Affects critical assets like authentication systems, payment processing, or PII storage.
  • High: Significant data exposure or functionality compromise. May require a low-privilege account or some user interaction to exploit. Affects important systems like user account management.
  • Medium: Limited data exposure or partial functionality impact. Requires specific conditions or elevated access to exploit. Affects less sensitive components.
  • Low: Minor information disclosure or minimal real-world risk. Requires complex conditions or unlikely scenarios to exploit. Affects non-sensitive assets like marketing pages.

Bug hunter Communication

Reply fast, be straight with people, and don't leave them hanging. See the response templates below.

  • Let them know you've seen it and you're looking into it
  • Update them at least weekly, even if there's no news
  • If it's taking longer than expected, say so
  • If you're closing a report, explain why with enough detail that they understand the decision

Remediation Planning

Before closing a report as fixed, try to reproduce the original bug to make sure it's actually gone. Test variations too.

Resolution & Rewards

Bounty Determination

When deciding on bounty amounts, consider:

  • Severity level (primary factor)
  • Report quality and clarity
  • Creativity or novelty of the finding

Closing Reports

When closing a report, include:

  • Confirmation that the issue has been fixed
  • Final severity classification
  • Bounty amount and payment details

Response Templates

Copy-paste these and tweak them. Don't send them as-is - mention the specific bug so the researcher knows you actually read their report.

Initial Acknowledgment

"Hi [Bug hunter],

Thank you for this report. I've begun investigating and will update you within [timeframe].

Thanks,
[Your Name]"

Clarification Request

"Hi [Bug hunter],

To reproduce this issue, could you provide:

* [Specific detail needed]
* [Specific detail needed]

Thanks,
[Your Name]"

Valid Report

"Hi [Bug hunter],

We've confirmed this as a valid [Severity Level] vulnerability. It has been assigned to our development team and we expect a fix by approximately [date].

I'll update you once the fix is deployed.

Thanks,
[Your Name]"

Invalid Report

"Hi [Bug hunter],

After review, this report doesn't qualify for a bounty because [specific reason].

[Technical explanation]

Thanks for your submission,
[Your Name]"

Duplicate Report

"Hi [Bug hunter],

This vulnerability was previously reported on [date] and we are already working on a fix. This report won't qualify for a bounty as a duplicate, but we appreciate your effort.

Thanks,
[Your Name]"

Fix Deployed & Bounty

"Hi [Bug hunter],

We've deployed a fix for the vulnerability you reported. We're awarding a bounty of [amount] for this finding. Payment will be processed within [timeframe].

Thanks for helping improve our security,
[Your Name]"

Need a hand with triage?

We can help you set up triage workflows or connect you with an MSP that specialises in it.

Start Your Bug Bounty Program Book a Call