After receiving the latest feedback from the crowd, we enhanced the Researcher experience through developing and expanding features on Crowdcontrol.
Included in this update:
- Known Issues Improvements
- Payments Export
- Won’t Fix Points
Updating Known Issues
Known Issues has received a visual update, corresponding to the breakdown of the VRT categorization on each target. The total number of reported vulnerabilities per category type is now visible, as well as the number of unique submissions received.
Exporting Payment Records
CSV payment export is now live in the platform. On your personal Payments page, there is an export button to conveniently download all your Remitted Payments information for record-keeping purposes.
Prioritizing Your Points
At Bugcrowd, all valid bugs are assigned a priority rating based on the severity of the security impact, which is guided by the VRT. Higher severity or Critical issues (such as SQLi resulting in remote code execution) receive higher awards than low severity issues. In return, prioritization influences how rewards are assigned.
As of today, we are making the following change to the “won’t fix” state: Submissions that are moved to a “won’t fix” substate will have the appropriate kudos points assigned based on prioritization, ensuring that all valid submissions are recognized for their efforts. Additionally, this change has been applied to qualifying submissions dating back to May 2017.
Earning Kudos Points for Valid, First-to-Find Bugs
You are rewarded kudos points for each valid, unique bug that you report. You must be the first person to report the bug to earn the full kudos points.
Each bug is rated on a priority scale of P1 – P5, with points rewarded accordingly.
Earning Kudos Points for Duplicate Bugs
Points are also rewarded to duplicate bugs based on issue severity. Points are rewarded when the original bug is accepted by the program owner.
UPDATE: October 11, 2018
Since this blog went live on Thursday, October 4, 2018, we have received inquiries from our Crowd wanting to better understand why a submission may or may not qualify for the allocation of points when a submission is classified as “Won’t Fix.” In order to make this more transparent, we are clarifying the following:
Submissions received between May 2017 and the blog’s release must have passed through the following workflow to qualify for point rewards:
“A submission MUST have moved from the ‘New’ state to the state ‘Triaged’ before it was transitioned to the ‘Won’t Fix’ state.”
Going through the “Triaged” state indicates that Bugcrowd’s Application Security Engineer team reviewed the submissions’ content and verified that the submission qualified for potential acceptance at the time the report was submitted. The Program Owner then reviews the submission’s content, and accepts for Reward or provides reasoning why a validated submission is not eligible for reward. This reserved discretion includes risk acceptance or other internal policy.
Because Submissions CAN move directly from “New” to “Won’t Fix”, we were required to disqualify submissions received between May 2017 and the blog’s release which did not pass through this process, as they were not validated by the ASE. Submissions were disqualified if:
- The VRT categorization is determined as “Won’t Fix”
- The Program Owner indicated to the assigned Application Security Engineer that the same issue has been previously reported and the client considers it a “Won’t Fix”
Going forward all submissions made, which result in a Won’t Fix, will receive applicable points, regardless of whether or not they transition through the “Triaged” state. At this time, all outstanding submissions have had the applicable points rewarded.
For the most recent changes to Crowdcontrol, please refer to the Bugcrowd Changelog.
