Bug Bounty Triage
The AppDev on-call person is response for looking at and triaging bug bounty reports on a daily basis.
There are two channels that bug bounty reports may come through, HackerOne and the vulnerability disclosure form. The AppDev on-call person is responsible for managing both channels.
HackerOne
HackerOne is a platform that allows researchers to report bugs to Login.gov.
To view the Login.gov feed in HackerOne:
- Login to HackerOne and select “TTS Bug Bounty” from the dropdown in the top left
- Select “Login.gov” in the menu along the top (You may need to click “More” if your screen is not absurdly large).
Any new reports that come in should be validated by you. You can leave team only comments if you think a bug is a false positive or ask for more information from the researcher. If you have validated the bug, open a Jira ticket and change the state in HackerOne to “Triaged”. When you do that, include the link to the Jira ticket in the Reference ID column.
The vulnerability disclosure form
The vulnerability disclosure form feeds into this Google sheet.
The procedure for reviewing entries in the form are as follows:
- Review the title, description, and impact for each vulnerability report
- If a vulnerability exists, open a Jira ticket and label it a bug
- If the vulnerability could be considered to have a high or critical impact, consult the product owner for immediate prioritization. Otherwise, it will be prioritized at the next backlog grooming
- Comment on the “Impact” cell for the report detailing the actions you took.
H1 Resources
- H1 Bug bounty field manual
https://www.hackerone.com/sites/default/files/2017-05/Bug-Bounty-Field-Manual-complete-ebook.pdf
- Twitter feed to view recently publicly disclosed bugs:
https://twitter.com/disclosedh1
- Blog post with advice on triage
https://www.hackerone.com/blog/bug-bounty-5-years-in-uber-facebook