Bug Bounty Triage

The AppDev on-call person is response for looking at and triaging bug bounty reports on a daily basis.

There are two channels that bug bounty reports may come through, HackerOne and the vulnerability disclosure form. The AppDev on-call person is responsible for managing both channels.

HackerOne

HackerOne is a platform that allows researchers to report bugs to Login.gov.

To view the Login.gov feed in HackerOne:

Login to HackerOne and select “TTS Bug Bounty” from the dropdown in the top left
Select “Login.gov” in the menu along the top (You may need to click “More” if your screen is not absurdly large).

Any new reports that come in should be validated by you. You can leave team only comments if you think a bug is a false positive or ask for more information from the researcher. If you have validated the bug, open a Jira ticket and change the state in HackerOne to “Triaged”. When you do that, include the link to the Jira ticket in the Reference ID column.

The vulnerability disclosure form

The vulnerability disclosure form feeds into this Google sheet.

The procedure for reviewing entries in the form are as follows:

Review the title, description, and impact for each vulnerability report
If a vulnerability exists, open a Jira ticket and label it a bug
If the vulnerability could be considered to have a high or critical impact, consult the product owner for immediate prioritization. Otherwise, it will be prioritized at the next backlog grooming
Comment on the “Impact” cell for the report detailing the actions you took.

H1 Resources

H1 Bug bounty field manual

https://www.hackerone.com/sites/default/files/2017-05/Bug-Bounty-Field-Manual-complete-ebook.pdf

Twitter feed to view recently publicly disclosed bugs:

https://twitter.com/disclosedh1

Blog post with advice on triage

https://www.hackerone.com/blog/bug-bounty-5-years-in-uber-facebook