At Bugcrowd, one of our guiding principles is that adopters of our products (aka program owners) are only as successful as the security researchers working on their programs. There is mutual interest across the Bugcrowd ecosystem in ensuring that processes, procedures, and communications are designed to make researchers feel safe, valued, and motivated. And we’re proud to say that we’ve built the best triage experience in the industry to meet that goal:
For researchers specifically, triage is the first and most critical point of contact with Bugcrowd. It sets the tone for everything that follows, including rewards. Because we view triage as the primary experience for researchers hunting bugs on the Bugcrowd Security Knowledge PlatformTM, it’s critical that we get that experience right. To help achieve that goal, everything Bugcrowd does during the triage process is based on these goals:
- Fair and impartial treatment for everyone. That includes customers/program owners, researchers, and Bugcrowd team members.
- Focus on speed and accuracy. From a risk perspective, program owners and researchers alike want to see high-impact submissions triaged most quickly. Meeting that goal at scale requires a careful balancing of speed and accurate prioritization.
- Catching and learning from mistakes. With the scale on which we operate, mistakes can happen. We strive to proactively identify, and ideally prevent, mistakes. When mistakes do happen, we acknowledge and correct them, and then whatever is necessary to prevent them from happening again.
In this new guide, we’ve documented how each value is reflected in the Bugcrowd triage experience for researchers. As a teaser, I’ll explain the first one, here.
Fair and impartial treatment for everyone
There are three key aspects of the triage process that help ensure equitable, respectful treatment for everyone in the Bugcrowd ecosystem: Consistent researcher experience, consistent bug and severity classification, and consistent communication and outcomes.
Consistent researcher experience
By hiring application security engineers for in-house triage who are former or current bug hunters, we have intentionally built a team who fully, deeply understands the researcher experience, and will use that knowledge and awareness to advocate on your behalf, because they have been where you are. Furthermore, we work hard to replace inconsistencies with repeatable outcomes on which researchers can rely.
Another significant benefit to an in-house triage team is the ability to amplify the impact of their work, enabling triage speed, scale, and accuracy beyond what any single organization is able to do on its own. That amplification is delivered by the Bugcrowd Platform itself, which arms our human specialists with guided workflows, standardized communications, and a rich security knowledge graph built on modern data infrastructure developed over more than a decade.
As a result, researchers (and program owners) can count on a consistent, predictable experience that includes rapid triage and reward payments, whatever the scale involved.
Consistent bug and severity classification
Another example of how standardization enables respectful treatment is our Vulnerability Rating Taxonomy (VRT). In pre-VRT days, every program brief had different definitions of a “critical” issue–let alone recognition of more nuanced issues. Despite the existence of other standards like CVSS, frustration and confusion were common. While disagreements are always possible, the VRT provides a substantial (and open source) shared severity taxonomy for everyone, and with it, a foundation for consistent engagement between researchers and program owners.
Consistent communications and outcomes
At the scale at which Bugcrowd operates, it’s important to have guided workflows across the triage process. We’ve invested in workflows to ensure prompt, clear, and detailed communication (read about our groundbreaking Request A Response feature here), and arm researchers with tools that help them create high-quality submissions, such as Submission Templates. Additionally, we provide guidelines about how to safely demonstrate impact behind findings. These efforts to help researchers create high-impact submissions make validation, triage, and payments happen more quickly.
The Bugcrowd Platform gives our triage team process flows to follow for each item they work on. This helps us build new templates that provide consistent guides for researcher and customer outcomes. It also extends beyond the VRT, with playbooks for internal validation processes like de-duplication and customer-specific workflows such as validating against certain environments.
Here’s an example:
You’ll notice various codes throughout the workflow. Those codes are used in combination with our platform to build guided, detailed responses for researchers (as well as program owners) at every step of the workflow.
For details about other Bugcrowd values for triage, read our new guide. In future posts, we’ll provide even more details about how key aspects of the triage process (such as appeals) work, as well as our plans for improving them – which never stop!