User Start-Up Guide

As a daily user, your main focus will be to manage the lifecycle of a vulnerability submission, from the time it is triaged and validated, to when your team approves the vulnerability, passes it to your development team, and rewards the researcher. Depending on the size of your security team and your role, your responsibilities during this process may vary. Whether you manage one step of this process, or the entire thing, all submission engagement will exist on the Submissions page. This is where most of your time will be spent.

1. Receive Notification

Once a vulnerability has been submitted to the program, a notification message will be sent to your email as well as to your Notification Inbox within Crowdcontrol. Notification alerts may be adjusted to your personal preference. For more information, see managing notifications to learn how to change your notification settings.

2. Evaluate Vulnerability

Once the vulnerability has been triaged and validated by Bugcrowd, you will need to evaluate the submission to determine who on your team is best suited to further validate and approve this bug. Assign the appropriate team member using the Assignee tool in the right hand column of the Submissions page.

3. Validate Vulnerability

Review the vulnerability report - use the information provided within the submission details to validate and give final approval to the submission. If the report is missing any information, contact the researcher directly using the reply to message box below the report. To get a second opinion, leave a note, or include a team member in this process by using the leave a team note message box below the report. For more information, see commenting submission.

4. Approve Vulnerability

After validating the vulnerability, confirm the bug’s priority level on the right hand side. Move the submission to an unresolved state once you recreated and validated the vulnerability. An unresolved submission indicates that this vulnerability needs to be fixed. To do this, use the drop down arrow in the right hand corner and select unresolved. If integrated, your ticketing system will send a ticket notifying your development team.

5. Reward Vulnerability

A pop-up reward box will appear with a market rate payout suggestion based on the priority of the vulnerability and your organization’s security maturity. The final reward amount may be manually adjusted accordingly. Take into consideration the organizational impact of the target to determine an increase in payout. Click Submit to reward the researcher.

Determining the right reward: Take a look at Bugcrowd’s VRT (Vulnerability Rating Taxonomy) and DVPM (Defense Vulnerability Pricing Model) to better understand the science behind prioritizing and paying out vulnerabilities.