A hackers perspective on bug bounty triage
In the last few days, I have been able to have productive conversations with my peers in the bug bounty community including Patrik who works on the triage team and Luke who leads community efforts from HackerOne. Patrik has helped clear up misconceptions and Luke, as always, has been responsive and empathetic.
As a reporter, I am privileged to have access to a triage system which adds efficiency to the bug bounty process. However, it's clear to me that there are some misconceptions when it comes to triage that us hackers on the other side may fail to fully understand, because the truth is, there's little education on how the triage process and system works end to end.
In this blog post, I would like to help clear up some of these misconceptions, but also highlight some of the inherent implications of the triage process where I wished there was more focus on empathising with the researcher.
Are they the gatekeepers?
One might think that if your report is not triaged, the security team on the other side may not see your security report. This is often a misconception that hackers make, and I have been told that any vulnerability reported to a team goes into a shared inbox, where the triage team are only guest users of that inbox.
While the triagers are still only technically guest users in a security teams inbox, they still have a great influence over the treatment of vulnerabilities. In many cases, security teams using triage services are relying on the triage team to judge the severity of vulnerabilities for all incoming reports where possible.
From my experience, often the severity that the triager sets, has a great deal of influence on the final severity decided by the security team. In many cases, the severity does not change, and in some cases, the security team increases the severity. I have rarely ever had a time where a severity is marked too high by a triager and the security team downgrades it.
Even though the triagers are guest users, often security teams will not investigate potential vulnerabilities until they are triaged. On this point, it gets incredibly tricky, when you as a hacker are confident that a security issue should be considered by a security team, but a triager has a different opinion.
On the surface, it may seem like triagers are only guest users and hence aren't gatekeepers, but when you dig into the dynamics of triaging, the influence and responsibility of triagers holds a lot of weight as to whether or not your vulnerabilities are investigated by security teams, how quickly are investigated by the security team, and also the speed and the amount at which they are paid out.
What about CVSS?
CVSS is a beast, and I don't mean that in a good way. I've had triagers tell me that I should respect their CVSS scoring and that my judgement on a vulnerability is wrong, because "CVSS is strict".
However, when digging into the justifications for a CVSS rating, it's often easy to find disagreements in the way something is scored. The issue with these disagreements, is that the difference between a medium vs. a high rating, is often a difference in thousands of dollars. On the platform security side, it can also make a large difference as to the level and effectiveness of the incident response to the reported findings. As I mentioned earlier, security teams are placing more and more trust on the triagers risk rating as time goes on, you're pretty lucky if they adjust the rating in your favour after it has been triaged.
What I would like to see more of during triage, is a collaborative effort between the hacker and triager to determine the CVSS when a disagreement arises. This not only leads to a better outcome for hackers, but better and more consistent security outcomes for security teams running bug bounty programs.
Due to the nature of CVSS, us hackers and even triagers are going to get it wrong sometimes, but the way in which we handle these disagreements is absolutely key to ensuring positive outcomes for everyone involved. For triagers, they are rightfully cautious about triaging a finding too high and sounding a false alarm for the security team, so some caution is understandable. For hackers and security teams however, this can have serious impact to the handling of the finding. As hackers, we want the experience to be impactful and meaningful, as we put a lot of work into our findings.
Sometimes, even a skilled triager wont have the same context as the security team or the researcher (who spent a lot of time understanding the system).
Recently, a great blog post on sliding bounties was published by Douglas Day. I would love for this concept to be widely adopted by programs, where triagers work with hackers to determine more accurate CVSS scoring in the process.
What about the demeanour?
Historically speaking, my worst experiences with triagers are related directly to the attitude and demeanour of the triager on the report. When I have been hacking on a program for a long time, and in return, I experience negative overtones, doubt and attitude from the triager, the whole experience of reporting to the bug bounty program is almost immediately ruined for me.
This doesn't happen often, but when it does, it really sucks. It feels like the triager does not have the empathy to realise the many hours, sometimes days of work that has been put in for the report, and overall it degrades the hacker experience terribly.
If I was a triager, I would be doing my best to avoid arrogance, take the benefit of the doubt, and work with the hacker in a positive manner to approximate risks. Nothing is worse than having a report shot down by a triager who thinks they know more than you, signified by their attitude in their responses. I want to feel like the triager has my best interests at heart, especially as an established hacker with good reputation.
What about the skills gap?
Something raised to me was the fact that there is an incredible skills gap in the cybersecurity industry and a shortage of triagers. Triagers can often be junior staff who are just breaking into the industry.
Honestly, I think that it is amazing that bug bounties are facilitating careers for people breaking into cyber security, through triage roles. I know how difficult it is to get started in this industry, and I have nothing but love, time and empathy for junior triage staff on any platform.
I am never upset when a triager is upfront about their inability to reproduce something, and I always respond professionally with assistance to reproduce something.
I would actually prefer a team of junior triagers with positive attitudes, demeanour and gracefulness than a team of experienced triagers who treat you poorly.
With this blog post, I hope that any triagers reading this will understand that hackers appreciate their demeanour just as much as, if not more than, they appreciate technical abilities.
When can you disclose?
Even though the vulnerability you report to a program is marked as informative, or not accepted, you do not have the right to disclose the vulnerability without permission.
The best route to take when pursuing disclosure, is going through the official request for disclosure within the platform you are working on, or directly asking the security team for the right to disclose within the report.
When you have reported a vulnerability to a security team, you are giving up the intellectual property for that vulnerability and you no longer have the right to disclose it, as technically, it is no longer yours.
I made this mistake recently, and I wanted to make it clear to other hackers that you will likely get a warning from the mediation team with a request to take down anything publicly disclosed if this happens. Misunderstandings happen and it's important to recognise that, but further educating yourself on the nature of reporting and disclosing security vulnerabilities is equally as important.
Conclusion
I hope this blog post clears some misconceptions for hackers, but also gets my perspective across to triagers that may be reading this.
My honest thoughts on this is that as long as you are treating each other with decency, respect and without negative overtones in your responses, you're going to be a great triager, and both hackers and security teams are going to love working with you.
Humility is key here, and I try my best to practice it as a hacker. If you have a skills gap, I will always have the patience to explain and demonstrate my findings. If you disagree with my judgement, I will always be willing to have a kind-hearted discussion. But please, let's treat each other with respect on reports.