.png)
4 weeks ago
28 BOOK THIS SPACE FOR AD
ARTICLE ADI had heard many horror stories about Bugcrowd triage but didn’t really believe it.
Now, don’t get me wrong, there’s definitely some good triagers on the team. But my experience with a lot of them has left a sour taste in my mouth, furthermore, I know I am not the only one.
Most recently, I submitted a report on a program about an XSS issue. I found two identical looking endpoints vulnerable to the same issue. So, I issued one report thinking that two reports will just spam their triagers (since, from what I could tell, the company would probably fix the two endpoints together, and I highly doubt they would’ve paid both reports if a single researcher submitted them)
The report got closed as duplicate and I was not added to the duplicate report so I had to take the triagers word for the fact that BOTH endpoints mentioned in my report were a part of the duplicated report.
Well, thats ok because I can trust them…. right?
Well, wrong.
The report got resolved a few days ago, I went back to it and noticed that one endpoint was still vulnerable. I sent in another report.
My report was closed as dupe for a report that came way AFTER my initial report.
I explained that I had reported the same issue on the same endpoint long before but I was told to kick rocks.
Just a warning to other researchers, this is how Bugcrowd (in at least some instances) treats their hackers. Don’t let that sour you from bug bounty though. There are lots of other great platforms out there and lots of money to be made :)
Bengali (Bangladesh) · 
English (United States) ·