Build a simple guidelines for the First Responder’s handling of initial triage.
Â
The general steps:
- Respond and close out the submission if the submission falls outside of the scope of the Bug Bounty program
- Respond and close out the submission if the issue has been previously identified
- If the submission looks valid, risky, and new, we respond to the researcher letting them know that validation is underway and that we will be in touch once we have an update.
- Validation can typically be performed directly by the Application Security team member performing the triage.
- If we have validated the issue, or have reached the limits of our initial validation and need some expertise from the engineering team, we open an internal tracking issue under the relevant source repository
Â
When we communicate our decision on the validity of the issue to a researcher, we also detail next steps in the process. These steps include the engineering team or Application Security team developing a fix based on the discussed remediation and the Application Security team determining the finalized risk of the issue.
Â
Reference
Â