Bugbop with spider-like logo

Triaging Bug Reports

Learn how to effectively triage and respond to security reports

← Back to Documentation
Related Pages

The Triage Process

Effective triaging is essential for maintaining a successful bug bounty program. It ensures that security issues are properly evaluated, prioritized, and resolved while building positive relationships with Bug Hunters.

Triage Workflow Overview

  1. Initial review: Perform a quick assessment to determine validity and scope
  2. Detailed investigation: Thoroughly evaluate reproducibility and impact
  3. Severity assessment: Determine the risk level and assign appropriate severity
  4. Researcher communication: Acknowledge receipt and provide feedback
  5. Internal escalation: Route the issue to the appropriate teams
  6. Remediation planning: Coordinate fix development and testing
  7. Resolution and rewards: Close the report and award bounties
Important: Aim to provide an initial response to all reports within 24-48 hours, even if it's just to acknowledge receipt. Fast response times are one of the most important factors in researcher satisfaction.

Initial Assessment

The first step in the triage process is a quick assessment to determine whether a report requires further investigation.

Scope Validation

Check whether the reported vulnerability affects an asset within your defined scope:

  • Verify that the affected domain, application, or component is explicitly listed in your scope
  • Check whether the vulnerability type is explicitly excluded in your program policy
  • If a report is technically out-of-scope but still valuable, consider making an exception

Validity Check

Determine whether the report describes a genuine security issue:

  • Does it describe a clear security vulnerability (not just a feature request or UX issue)?
  • Is there enough information to understand and potentially reproduce the issue?
  • Does it affect the confidentiality, integrity, or availability of your systems or data?

Duplicates

Check whether the vulnerability has been previously reported:

  • Search your existing reports for similar vulnerabilities
  • Compare technical details, not just vulnerability categories
  • If it's a duplicate but with additional attack vectors or impact, consider treating it as a related but unique finding

Severity Evaluation

Accurately assessing severity is crucial for prioritizing fixes and determining bounty rewards.

CVSS Scoring

Bugbop uses a simplified version of the Common Vulnerability Scoring System (CVSS) to evaluate report severity:

Factor High (3 points) Medium (2 points) Low (1 point)
Impact Complete compromise of system, data breach, full control Significant data leak, functionality compromise Minor information disclosure, limited impact
Exploitability Remote, no authentication, easily automated Requires low privilege account, some complexity Requires specific access, complex conditions
Asset Criticality Authentication system, payment processing, PII User account management, non-critical data Marketing pages, non-sensitive content

Calculate severity by adding the points from each category:

  • Critical (8-9 points): Severe vulnerabilities with high impact and easy exploitability on critical assets
  • High (6-7 points): Significant vulnerabilities with substantial impact
  • Medium (4-5 points): Moderate vulnerabilities with limited impact or exploitability
  • Low (3 points): Minor vulnerabilities with minimal real-world risk
Pro Tip: While the scoring system provides a good framework, use your judgment for the final determination. Some vulnerabilities might have unique characteristics that aren't fully captured by the scoring system.

Researcher Communication

Clear, respectful, and timely communication with security researchers is essential for a successful bug bounty program.

Initial Response

For every valid report, your first communication should include:

  • Acknowledgment of receipt
  • Confirmation that you've begun investigation
  • Expected timeline for next update
  • Any clarifying questions if needed
  • Appreciation for their submission

Ongoing Updates

Keep researchers informed throughout the resolution process:

  • Provide status updates at least every 5-7 days
  • Be transparent about any delays in verification or fixing
  • Share information about reproduction successes or failures
  • When appropriate, explain your severity assessment

Invalid Reports

When declining reports, provide constructive feedback:

  • Explain clearly why the report doesn't qualify
  • Provide specific technical details if there's a misunderstanding
  • Suggest how they might improve future reports
  • Maintain a respectful tone even when rejecting reports
Success Strategy: Even when a report is invalid, consider thanking the researcher for their time and effort. This positive reinforcement encourages continued participation in your program.

Remediation Planning

Once a vulnerability is confirmed, coordinate with the development team to plan and implement fixes.

Prioritization

Work with technical teams to determine fix priority based on:

  • Severity level
  • Exploitation likelihood
  • Current exposure (number of affected users/systems)
  • Existing mitigating controls
  • Development resources available

Fix Verification

Before closing a report, ensure the vulnerability has been properly fixed:

  1. Request detailed information about the fix from the development team
  2. Attempt to reproduce the original vulnerability using the researcher's steps
  3. Test variations of the attack vector to ensure the fix is comprehensive
  4. Document the verification process and results

Temporary Mitigations

While waiting for a permanent fix, consider implementing:

  • Web Application Firewall (WAF) rules
  • Feature toggles to disable vulnerable functionality
  • Rate limiting or additional monitoring
  • Access restrictions for affected components

Resolution & Rewards

Once a vulnerability has been fixed, it's time to close the report and determine appropriate rewards.

Bounty Determination

When deciding on bounty amounts, consider:

  • Severity level (primary factor)
  • Report quality and clarity
  • Creativity or novelty of the finding
  • Additional research beyond the initial discovery
  • Helpfulness of the researcher throughout the process
  • Whether the vulnerability was previously unknown to your team

Closing Reports

When closing a report, include:

  • Confirmation that the issue has been fixed
  • Technical details about the fix (when appropriate)
  • Final severity classification
  • Bounty amount and payment details
  • Appreciation for the researcher's contribution
  • Any additional recognition (hall of fame, leaderboard points, etc.)

Researcher Recognition

Consider additional ways to recognize valuable contributions:

  • Public acknowledgment (with researcher permission)
  • Invitation to test new features or products
  • Special program access or VIP status
  • Bonuses for exceptional reports or multiple valid findings

Response Templates

To maintain consistency and save time, use these customizable templates for common scenarios.

Initial Acknowledgment

"Hi [Researcher],

Thank you for submitting this report. I've begun investigating your findings and will update you on our progress within [timeframe, e.g., 2-3 business days].

If you have any additional information that might help with our investigation, please let me know.

Thanks,
[Your Name]
[Program Name] Team"

Clarification Request

"Hi [Researcher],

Thank you for your report. To help us better understand and reproduce this issue, could you please provide the following additional information:

• [Specific detail needed]
• [Specific detail needed]
• [Specific detail needed]

This will help us properly assess the vulnerability and determine next steps.

Thanks,
[Your Name]
[Program Name] Team"

Valid Report

"Hi [Researcher],

We've completed our investigation and confirmed this is a valid vulnerability. Thank you for your careful work on this report.

We've classified this as a [Severity Level] issue and have assigned it to our development team for remediation. We expect to have a fix implemented by approximately [date].

I'll keep you updated on our progress and let you know once the fix has been deployed.

Thanks again for helping improve our security,
[Your Name]
[Program Name] Team"

Invalid Report

"Hi [Researcher],

Thank you for your submission. After careful review, we've determined that this report doesn't qualify for a bounty because [specific reason].

[Provide specific technical explanation]

We appreciate your participation in our program and encourage you to continue submitting reports. For future submissions, you might want to consider [helpful suggestion].

Thanks,
[Your Name]
[Program Name] Team"

Duplicate Report

"Hi [Researcher],

Thank you for your report. We've determined that this vulnerability was previously reported by another researcher on [date], and we're already working on a fix.

While this specific report won't qualify for a bounty as a duplicate, we still appreciate your effort in finding and reporting this issue. Please continue to participate in our program.

Thanks,
[Your Name]
[Program Name] Team"

Fix Deployed & Bounty

"Hi [Researcher],

Great news! We've successfully deployed a fix for the vulnerability you reported. The issue was resolved by [brief description of fix if appropriate].

Based on our assessment, we're awarding you a bounty of [amount] for this report. The payment will be processed within [timeframe].

Thank you again for your valuable contribution to our security. We greatly appreciate your help in making our platform safer for all users.

Best regards,
[Your Name]
[Program Name] Team"

Final Tip: While templates are helpful for consistency, always personalize your responses to acknowledge the specific details of each report. This personal touch shows researchers that their work is being carefully considered.