Menu Icon
< back to main
 • 3 min read

How to Evaluate Vulnerability Reports

In any marketplace, mutual trust and respect between buyers and sellers is vital. Here are a few tips to help you evaluate a reported...

How to Evaluate Vulnerability Reports
Julie Kuhrt
Julie Kuhrt

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

How to Evaluate Vulnerability Reports

In any marketplace, mutual trust and respect between buyers and sellers is vital. Here are a few tips to help you evaluate a reported vulnerability in Cobalt.

Time

In business and in security, one thing is certain: time is of the essence. For businesses hosting rewards programs through Cobalt, evaluating vulnerability reports in a quick and timely manner is an important step in strengthening your web security.

  • Reviewing reports within 24 to 48 hours of receiving them will help your organization stay ahead of emerging security threats and scheduling time for security patches.

  • Because our researchers have invested hours of time and effort into making your technology more secure, their diligent work deserves a timely response.

  • To help you keep track of vulnerability reports, Cobalt sends weekly report reminders.

In our reward programs, he (or she!) who submits a strong vulnerability report first usually wins — so for security researchers, reporting a bug in a timely manner could be the difference between reaping rewards for hard work or being too late to the game.

To reward or not to reward?

That is the question, and only those hosting a bug bounty program can answer that. Here are a few of guidelines to help you best determine when and how to reward researchers:

  • If a researcher finds a bug that a business will fix, that bug should be rewarded.

  • If a researcher finds a bug that is out of the predefined scope of your program, it is best to mark it “Out of Scope” and give feedback to the researcher on why the vulnerability will not be rewarded.

  • If a researcher finds a vulnerability out of the scope of your bounty program, but a business patches it, the bug should be rewarded to the researcher. (If this happens one more more times, you may want to widen the scope of your program.)

Because the Cobalt platform hosts over a thousand security researchers, it is possible for businesses to receive multiple bug reports from different researchers on the same issue. In these cases, it is up to the company hosting the bounty program to decide who wins the reward.

Communication is key

Feedback is one of the most important tools in the Cobalt platform. During the feedback process, companies hosting bounty programs have the ability to evaluate reports submitted by users. Because the Report Quality Rating is an important measure of a researcher’s Hall of Fame score, it is important to evaluate vulnerability reports on these criteria:

  • Was the report relevant to program scope?

  • Was the report concise?

  • Were the steps to reproduce the issue clear?

For security researchers, it is an invaluable tool that encourages continued research for bugs while also providing them providing insight from companies on their performance. For companies, it is a tool that can be used to build rapport and share information with researchers who regularly find and help close important security bugs.

Do you have questions about Cobalt vulnerability reports, or tips to share for giving (or receiving) feedback? Let us know: hello@cobalt.io!

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens