Every year as a HackerOne Clear verified researcher, I’m required to register on a couple of vendors that HackerOne uses. As I was going through the process of providing my social security number, 7 years of address history, my mother’s maiden name, and last bowel movement, I saw a little familiar popup in the bottom left corner:
Bug Bounty Hunting is an ever-changing ecosystem - what works in one season may not work in another. As such, and as with any discipline, being able to evaluate your self and adjust your course when thing stops working is imperative.
If you’ve been doing bug bounty for any time, either as a hunter or a program, you’ve doubtless heard complaints about CVSS scoring. The typical scenario will look something like this - a hacker will file a report (likely with a laughably inflated CVSS score), set the severity that they think the report is, get their expectations set on receiving $X, the triage service will validate the report, and assign a score using a CVSS Caculator and mark the report as
Triaged (barring any back and forth around reproduction steps).