As a daily user, your main focus will be to manage the lifecycle of a vulnerability submission, from the time it is triaged and validated, to when your team approves the vulnerability, passes it to your development team, and rewards the researcher. Depending on the size of your security team and your role, your responsibilities during this process may vary. Whether you manage just one step of this process, or the entire thing, all submission engagement will exist on the ‘Submissions’ page. This is where most of your time will be spent.
Once a vulnerability has been submitted to the program, a notification message will be sent to your email as well as to your ‘Notification Inbox’ within Crowdcontrol. Notification alerts may be adjusted to your personal preference - click here to learn how to change your notification settings.
Once the vulnerability has been triaged and validated by Bugcrowd, you will need to evaluate the submission to determine who on your team is best suited to further validate and approve this bug. Assign the appropriate team member using the ‘Assignee’ tool in the right hand column of the ‘submissions’ page.
Review the vulnerability report - use the information provided within the submission details to validate and give final approval to the submission. If the report is missing any information, contact the researcher directly using the ‘reply to’ message box below the report. To get a second opinion, leave a note, or include a team member in this process by using the ‘leave a team note’ message box below the report. Learn more here.
After validating the vulnerability, confirm the bug’s priority level on the right hand side. Move the submission to an ‘unresolved’ state once you recreated and validated the vulnerability. An ‘unresolved’ submission indicates that this vulnerability needs to be fixed. To do this, use the drop down arrow in the right hand corner and select ‘unresolved.’ If integrated, your ticketing system will send a ticket notifying your development team.
A pop-up reward box will appear with a market rate payout suggestion based on the priority of the vulnerability and your organization's security maturity. The final reward amount may be manually adjusted accordingly. Take into consideration the organizational impact of the target to determine an increase in payout. Click ‘submit’ to reward the researcher.