One of the key initiatives for Bugcrowd is streamlining communication between researchers, customers, and ourselves. At the heart of all of this communication are researcher submissions, including the comments and content of those submissions. After the work is done, and an impact is identified, the origin point of communication between all parties are the submissions themselves. Historically, we’ve often talked about how a good, well-crafted submission makes the difference between good research and great research. However, we haven’t done a very good job of defining and demonstrating exactly what a good submission looks like.
So, how do we make that better? How do we make it clear what a good submission looks like? Additionally, how can we make creating a good submission as attainable as possible, even if English isn’t your first language?
Introducing Bugcrowd Researcher Submission Templates
To help bridge this gap, we’ve added submission templates to the Bugcrowd Platform. As of today, we now have over 100 templates available.
When you select a VRT category, a template will populate in the description field, giving you a base upon which to work from as you craft your submission. Next, fill the template out, and add detail that’s specific to your finding, including any additional impact that should be highlighted, and reproduction steps.
For example, if you were to select SQL Injection as a finding, you’d see the following populated:
You’ll notice we’ve broken these templates down into a few key areas:
- An Overview – this is largely intended for customer guidance. Upon receiving your submission, customers will be able to send your finding(s) to members that may not have a security background, and allow them to understand the essence of your finding.
- Business Impact – this is where you outline what impact your finding potentially has for the company that you’re reporting to. Based on the VRT, the templates provide a starting point. You can then expand on this with additional impact, depending on the nature of your finding.
- Steps to Reproduce – this is where you break down from start to finish the steps one would go through to reproduce your finding.
With each template, you’ll find additional guidance to help you understand what triage and customers are seeking when validating each VRT category. For example, when you select SQL Injection, you’ll find the following on the left-hand side:
This outlines safe, reproducible steps that you should prove within your submission to help streamline the reproduction of your finding.
Take SQL Injection as an example. These can often be a false positive due to system variable timing creating alerts in tools (time based blind SQL Injection). By following the above guidance, you will see that where possible, you should produce a payload which retrieves the destination database name with your finding (a safe method which doesn’t expose core data of that system). If you’re finding initially has this, it limits the steps that triage and yourself need to go through to satisfy validation of your finding.
Maturing Templates and Guidance
This is the starting point for templates, and guidance, but certainly not the limit of the work we’re putting into this area. We’ve open sourced both, and you can find templates on GitHub. You can suggest changes, contribute new templates, or discuss existing templates (using GitHub Issues). If you contribute significantly, we’ll also be sure to reach out to you to offer some swag and other items.
We’re launching with 100 templates and in the near future we’ll have all major VRT categories covered with both templates and guidance for researchers. We’ll continue to refine and enhance these from there, based upon feedback from you, our valued crowd. We hope you enjoy these, and we can’t wait to show you what else we’ve been working on in this area soon!
Don’t miss out on more exciting platform updates! Subscribe to our Twitter, check out our researcher documents, and join our Discord for the latest on Bugcrowd. Be sure to keep your eye out for our next announcement, or email us at firstname.lastname@example.org.