Metacommunication and Bug Bounty Programs

3 years ago 215
BOOK THIS SPACE FOR AD
ARTICLE AD

Melanie Ensign

In the early 1950s, Jurgen Ruesch and Gregory Bateson coined the term metacommunication, defined as “communication about communication.” It’s commonly understood as the unspoken or nonverbal cues that accompany or encapsulate a message. Things like body language, tone of voice, gestures, and facial expressions often contain their own meanings that amplify, clarify, or confuse the words we use. But what about in written communications, such as those used for email and bug bounty platforms?

These are text-based, asynchronous messages where many of the most commonly recognized non-verbal cues like body language and facial expressions are non-existent. But that only amplifies the meaning of other cues and misunderstanding them or ignoring them often leads to unnecessary and emotionally-charged escalations, distrust, and burn out.

When working with asynchronous, text-based communications, what metacommunication do bug bounty teams and researchers need to be aware of? In my experience, the most important are context and relationships.

Context

There is a lot of context surrounding written communications, such as when messages are sent (e.g. day of the week, time of day, amount of time it takes to respond, etc.), their length, and the cultural perspective with which they’re crafted and interpreted. This means sending an effective message includes considering the context in which it will be received. What’s convenient or culturally acceptable to a security engineer in the United States may not be the best approach for communicating with a researcher on the other side of the world.

Understanding context is critical to effective communication because it impacts our interpretation of language, tone, and meaning. Whether your message is clear or confusing comes down to the structure of your prose and the context in which it’s read. Getting this right is often more difficult without the cues of live or face-to-face communication, so some bug bounty teams become overly dependent on phone or video conference calls for all conflict resolution. Sometimes this approach is helpful, but unless appropriate norms and expectations are already in place, the context of switching formats can immediately signal an escalation and put people on edge. A significant part of our business at Discernible is coaching bug bounty teams and researchers on when to use certain communication channels and how to use them effectively by maximizing the advantages of context and minimizing its potential risks.

Relationships

Another critical aspect of metacommunication is that every message also includes an implicit metacommunication about the relationship between the people involved. This relationship not only frames the message, but the message itself can imply a certain type of relationship (for better or worse). A simple way to think about this is the difference in how we speak to people we’ve just met compared to people we’ve known for a long time. What we disclose and the words we use often change depending on who we’re talking to.

When I first started working with responsible disclosure programs more than 10 years ago, most of them were private and invite-only. Researchers were invited to join only after establishing a trusted relationship with the security team. This meant that all our communications were framed within an existing (and usually positive) relationship. Things like benefit of the doubt were far more common because we all knew each other and assumed good intent. It’s much easier to unfairly or harshly judge someone we don’t know, and the emotional frustration that comes with constantly facing animosity is one reason triage teams burn out so quickly.

Today, many bug bounty programs solicit reports from researchers the security team may not know personally, which adds another layer of complexity to the communication requirements. How we communicate to each other tells us something about how we perceive our current relationship and, by extension, how we feel about the other person. Language that divides internal security teams from external researchers can be interpreted as dismissive or condescending, communicating to the other person that we don’t value them as an equal to ourselves.

Building trusted relationships with strangers is not easy; it takes time, patience, and consistent commitment. However, the best bug bounty programs and researchers invest in good communications, not only to improve efficiency, but to protect themselves from getting stuck in unproductive or destructive loops.

Pro Tips

Over the years, I’ve focused on a few key skills with the bug bounty teams I work with to help them overcome some of the most challenging aspects of bug bounty communications.

Focus on outcomes. Trying to win an argument is not an outcome, it’s a sign of immaturity. Remove “winning” as an expectation of your communication. For both bug bounty teams and external researchers, maintaining a productive long term relationship is usually the more valuable prize. That does not mean you should put up with abuse or unprofessional behavior — — it means be strategic about the boundaries set and the tone you use, with the expectation that the person you’re currently communicating with could be in your life longer than you might choose. Don’t shoot yourself in the foot.Explain your decisions but don’t get defensive. It’s not a fight unless you make it one. Every message is an exercise in learning about someone else’s communication style and proficiency. In helping the other person understand where you’re coming from, don’t assume they will see the same set of information the same way you do, even before the added complexity of context. Simply throwing facts at someone rarely works, especially if you’re hoping to convey respect. Relationships, whether with this specific individual or others in the community who may see the exchange, are paramount.Pay attention to what they heard. If you’re not getting the reaction you expected, resist the temptation to get frustrated or escalate. Instead, find out what they interpreted from what you said and if you need to, calmly and patiently clarify what you meant.Slow down. It’s common for people to feel anxiouswhen they don’t understand each other, which can cause rapid-fire responses and emotional escalation. There is no reward for the fastest response when it adds confusion, anxiety, or destroys a relationship. Take your time to gather your thoughts and ensure that you’re interpreting their message accurately. Calmly and respectfully ask for clarification if you need it.
Read Entire Article