AI Triage Assistant

Overview

The AI Triage Assistant is a secure, in-platform AI operational assistant designed to empower your security team. Embedded as a conversational chat interface within the Submission Inbox, the Assistant transforms vulnerability triage from a static checklist into a dynamic, conversational investigation. It allows analysts to ask questions, probe for details, and explore context in natural language—without leaving their primary triage workflow.

Key Benefits

  • Accelerate Triage: Get instant summaries, payload explanations, and technical breakdowns to make faster, more informed decisions.
  • Gain Deeper Insights: Go beyond the written report by asking for analysis on business impact or potential attack chains.
  • Improve Operational Efficiency: Generate triage artifacts on demand, including remediation guidance and Nuclei templates for retesting.
  • Work Securely: Unlike public AI tools, the Assistant operates entirely within the Bugcrowd platform. Your sensitive data is never exposed or used to train third-party models.

Prerequisites

Before enabling the assistant, the following requirement must be met:

  • Global Control of LLMs: The Organization Owner must have the Global Control of LLMs set to Enabled in the Organization Settings. If this control is Disabled, the feature cannot be activated at the program level.

How to Enable the Assistant

Once the global prerequisite is met, the AI Triage Assistant is available as a program integration.

  1. Navigate to the Integrations page in your program settings.
  2. Locate the AI Triage Assistant card.
  3. Select Enable to activate the Assistant for your security program.

Using the AI Triage Assistant

Once enabled, the Assistant is accessible to your team directly from within the Submission Inbox.

1. Accessing the Assistant
Navigate to the Submission Inbox. The AI Triage Assistant appears as a chat interface in the bottom-right corner of the page.

2. The Interface

  • Chat Component: The Assistant lives in a chat window in the lower-right corner. Use the minimize icon to hide the chat or the expand icon to open it in full-screen mode.
  • Suggested Prompts: When you open the chat, you’ll see one-click prompts for common triage tasks such as summarizing a submission or requesting remediation guidance.
  • Text Input: A text input field at the bottom of the chat window allows you to type your own custom questions.
  • Clear Conversation (Delete): Select Delete to clear the current conversation history. This is useful when starting a new topic or analysis to ensure the context is fresh.

3. Understanding Secure Context
The Assistant is context-aware and focuses on the submission you are currently viewing. When you open the Assistant on a submission, it automatically references submission details, comments, and engagement metadata (brief, targets, reward range) as secure context to inform responses. This ensures relevance and accuracy.

Tip: The Assistant only “sees” the submission you are currently viewing. If you navigate to a new submission, the chat context resets to focus on that new vulnerability automatically.

4. Capabilities & Limitations

  • Text-Based Only: The Assistant analyzes the text and metadata present in the submission. It cannot currently interpret images, videos, or attached media files.
  • No File Uploads: The Assistant does not currently support direct file uploads.

5. Example Prompts and Best Practices
Use natural language to interact with the Assistant. For deeper insights, such as business impact, it helps to include additional context about your environment.

Summarize Submissions

  • “Summarize this submission.”
  • “Summarize the commentary on this submission.”

Explain Technical Concepts

  • “Explain this payload and how it works.”
  • “Explain this vulnerability to me as if I were a junior developer.”
  • “What is a ‘Time-of-check to time-of-use (TOCTOU)’ race condition?”

Assess Business Impact

  • “What is the potential business impact of this submission?”
  • “Explain the impact of this XSS vulnerability on a public-facing login page.”
  • “Model a potential attack chain for this flaw.”

Accelerate Triage

  • “Generate a valid Nuclei template for this submission.”
  • “Suggest remediation guidance for this submission.”
  • “Draft a comment asking the researcher for a video PoC.”

Security and Data Privacy

The AI Triage Assistant is designed with security and privacy as top priorities.

  • Secure, Private Environment: All operations occur within the Bugcrowd platform, leveraging LLMs hosted in our secure Amazon Bedrock environment. Data is never exposed to the public internet or third-party models.
  • No Third-Party Training: Your program data is never used to train AI models.
  • Secure, Ephemeral Context: The Assistant uses submission-specific data only for the duration of a single query.
  • Tenant Isolation: The Assistant cannot access any other Organization’s data. It operates with a strict zero-tolerance policy for cross-tenant access.

For more information, please reference the Global Control of LLMs documentation.

Frequently Asked Questions (FAQ)

Q: How is this different from a public tool like ChatGPT?
A: The AI Triage Assistant is secure and context-aware. It keeps your data private within the Bugcrowd platform and uses submission data to generate highly relevant analysis.

Q: Will the Assistant automatically change a submission’s status or priority?
A: No. The Assistant is a read-only analysis tool. It cannot change status, priority, or reward values.

Q: Can the Assistant see data from other Bugcrowd customers?
A: No. The Assistant can only access your organization’s data.

Q: Can the Assistant access other program data in my organization?
A: Yes. The Assistant operates based on the specific permissions of the user currently using it. It can access submission data across any programs in your organization that you have explicit access to.

Example: Suppose an Organization has Program A, Program B, and Program C. If you have access to Program A and Program B, but not Program C:

  • The Assistant can use data from Program A and Program B to answer your questions.
  • The Assistant cannot access or reference any data from Program C.

Q: Can I upload files like screenshots or logs for the Assistant to analyze?
A: No. The Assistant currently does not support file uploads. It analyzes the text and metadata already present in the submission.

Q: Can the Assistant analyze images or videos in the submission?
A: No. The AI Triage Assistant is text-based. It cannot interpret images, videos, or media files.

Quickstart Expand to see sub-pages
Onboarding Expand to see sub-pages
Organization Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Target Management Expand to see sub-pages
Single-Sign-On Expand to see sub-pages
Security Expand to see sub-pages
Roles and Permissions Expand to see sub-pages
Submission Management Expand to see sub-pages
Funds Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Reporting Organization Expand to see sub-pages
Reporting Security Program Expand to see sub-pages
Incident management Expand to see sub-pages
AI Capabilities Expand to see sub-pages
Visit bugcrowd.com