We are excited to announce that organizations can now increase the visibility into their program with known issue sharing. Sharing known issues will disclose categories of vulnerabilities, based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT), that have been discovered on a specific target to better direct a researcher’s testing efforts towards low-touch targets and less commonly found vulnerability categories.
The success of any bug bounty program relies on an organization’s ability to share the right information with researchers early and often. This starts with communicating clear expectations and scope details to direct researchers’ attention towards the targets that matter the most.
As a program matures, the likelihood of a researcher finding a vulnerability that has already been found increases. An increase in duplicate submissions is a good indicator the vulnerability is more likely to be found by other external parties, which include bad actors. However, an excessive number of duplicates could be seen as an inefficient use of the researchers’ time as these issues are already known by the organization and efforts to remediate the vulnerability are often in effect.
Sharing known issues with researchers now increases the visibility and improves the researchers’ knowledge of the testing landscape ultimately boosting the likelihood of them finding more unique vulnerabilities across more targets. When researchers are given the proper information, they can quickly identify the focus areas that the organization would like tested increasing the likelihood of results that will help reduce the risk of the business’s assets and get the researcher paid out.
How it works:
This is an opt-in feature that can be enabled on a program. To start sharing known issues with researchers, navigate to the Program Settings page.
From the Program Brief tab, find the Known Issues section. Enable displaying Known Issues count on your program brief.
Once you update the program brief researchers viewing the brief will see breakdowns under Targets.
(Left number represents accepted issues [triaged, unresolved, or won’t fix]; right represents duplicates)
The Importance of Accurate Data:
The goal of sharing known issues is to increase the efficiency and effectiveness of the researchers participating on a program. This starts by ensuring the program’s target and submission data is up to date. For example, if the program’s Target Directory is not yet set up, the researchers will not be able to identify the coverage to best direct their testing efforts to low-touch targets. Additionally, if old submissions have not yet been backfilled and classified based on the VRT, then researchers will not be able to identify commonly found vulnerability types and adjust their efforts to find more unique vulnerabilities categories. To ensure the best results, we suggest you check to make sure your submission data is current when enabling known issue sharing. This can be done by identifying submissions labeled as “other” – use the tokenized search functionality to search for submissions set as “vrt:other” and change the VRT categorization to the appropriate classification. Providing accurate, real-time program data allows researchers to adjust their testing strategies to increase the coverage and impact of findings ultimately reducing the security risk of a business’s assets.
To learn more about how the new known issue sharing feature take a look at our Crowd control documentation (customer – researcher). If you have any thoughts, ideas, or questions, we’d love to hear from you at firstname.lastname@example.org.
This feature is available for Bug Bounty Programs (private and public ongoing, and on-demand) or any public listed Vulnerability Disclosure Program.