‘Happy hunters equal happy customers and vice versa’: YesWeHack vulnerability triage chief Adrien Jeanneau on creating a virtuous Bug Bounty circle

November 7, 2024

YesWeHack vulnerability triage chief Adrien Jeanneau on the art of triaging bug bounty vulnerability reports in this YesWeHack interview

Security teams are sometimes apprehensive about crowdsourcing security testing for the first time.

But initially cautious YesWeHack customers often become more ambitious – adding scopes, increasing rewards or inviting more hunters – as their concerns are assuaged, according to the head of the Bug Bounty platform’s triage team.

“Ensuring customers get clear, relevant and actionable vulnerability reports gives customers confidence in the process,” says Adrien Jeanneau, YesWeHack’s head of security analysts and researcher enablement. “This emboldens them to steadily expand the program and perhaps eventually launch a public program open to all registered and vetted hunters.”

In turn, this regular addition of new hunting opportunities keeps hunters engaged, adds Adrien, a still-active bug hunter who discovered Bug Bounty in 2017.

“In essence: happy customers equal happy hunters and vice versa. It’s a virtuous circle we strive to facilitate.”

Growing the team

Founded and run by ethical hackers, YesWeHack also aims to keep customers and hunters happy by handling reports swiftly and objectively, therefore enabling customers to pay rewards promptly. To sustain this approach, the in-house triage team is expanding to accommodate YesWeHack’s ongoing growth, as well as operating 24/7.

Automation as well as manpower are key as the team’s workload increases, although Adrien insists that “we cannot automate everything. We can automate some easy Proof of Concepts [PoCs], facilitate initial severity assessment, and streamline repetitive, basic triage tasks.”

What triaging involves

Triage is conducted by full-time triagers and supervised by each customer’s dedicated customer success manager (CSM). Triagers perform the following for every report:

  1. Vulnerability analysis
  2. Validate or invalidate the finding in line with the scope, qualifying vulnerabilities and other rules
  3. Reproduce the Proof of Concept (PoC) to verify the exploitability
  4. Determine severity level using a CVSS calculator, in consultation with the customer
  5. Review technical details in depth
  6. Ensure the researcher adds relevant comments, such as root cause analysis or impact assessment
  7. Handle interactions with researchers throughout the process
  8. Keep the customer up to date with progress and results

“It's like a compliance check,” says Adrien.

And if the impact demonstrated by a PoC is less than the impact reported, the triagers liaise with the researcher to try and bridge this gap with additional evidence. When the converse is true – a higher impact demonstrated – the customer is promptly notified.

The knowledge accumulated from previous findings sometimes gives triagers valuable insights that the hunter might lack. “A hunter might, for instance, send a PoC for an SSRF, and we know that in the past a similar report has been evaluated with a higher impact than initially estimated after internal checks by the program,” explains Adrien.

But while triagers sometimes make such suggestions, Adrien emphasises that clients are not obliged to follow their advice. “The triage team does not make the final decision on severity, because we can’t always know everything about the impacted asset,” he insists. “If the customer has information about the technology that we don’t, we need to trust their opinion. Severity is assessed based on our experience, the customer’s knowledge and the context of the digital asset.”

Prioritisation model

The systematic prioritisation of incoming reports is a key plank of the YesWeHack model’s success (something attested to in our customer testimonials). This is based on not just on when they are submitted, but also severity and an initial evaluation of potential real-world business impact by the triage team. “If a report is validated as truly critical, it gets triaged first,” says Adrien.

Nevertheless, the process is speedy as well as thorough regardless of severity. “YesWeHack has a first-response SLA of two business days for all reports but we’re actually achieving an average of 5-6 hours,” Adrien notes.

Triagers can also advise customers on the best course of action for out-of-scope submissions (a Vulnerability Disclosure Policy is usually a good idea). For example, Telenor recalled in a YesWeHack webinar how vulnerabilities discovered in out-of-scope assets in their supply chain prompted them to alert affected suppliers, some of which went on to launch their own Bug Bounty Programs.

What makes a great triager?

“The technical part of being a triager is important, but it’s not mandatory to have OSCP certification when you start for example,” says Adrien. Technical knowledge can be acquired on the job because new triagers’ assessments are doublechecked by colleagues during their first four months in the role. “So a new triager is never navigating the technical side alone,” says Adrien.

Soft skills are just as crucial. “We are intermediaries. We collaborate with both hunters and customers to address problems or complaints, respond to comments and ensure reports are as clear and accurate as possible.”

Interpreting and simplifying messages is a key part of this intermediary role: “Hackers often use different language and terminology to customers,” Adrien explains. “We explain the impact as clearly as possible to customers who might be new to Bug Bounty and not have great technical knowledge.”

The future of triage

The triage team keeps abreast of new vulnerabilities as technology evolves and developers become adept at preventing older bug classes like SQLi.

“In general, new bugs like large language model (LLM) injection, HTTP request smuggling, OS binary or mobile app issues are more challenging for the triage team than classic vulnerabilities like XSS, CSRF and open redirects,” says Adrien. “When reports use new techniques, we need to understand the risks, impact and possible mitigations.”

Adrien expects to still be “triaging XSS and open redirects in five years’ time, but it’s vital for us to stay up to date with new techniques. That’s why we have an internal communication channel for sharing writeups and insights about the latest hacking techniques.” The triage chief recalls how the triage team once also “sharpened their technical skills by creating and participating in a CTF challenge”.

Hunting and triaging are increasingly automated, he acknowledges, but adds: “It’s important to keep the human brain involved in triaging to ensure the impact reflects the context, our knowledge and the customer’s knowledge.”

Customer-service collaboration

Also central to the efficiency of Bug Bounty Programs – and minimising customers’ workload – is the customer success management (CSM) team, which helps to continuously align scopes, bounty ranges, qualifying vulnerabilities and participating hunters with evolving customer requirements and budgets.

The CSM and triage teams have a symbiotic relationship. “The CSM team shares information that helps us do our job – for instance, if scopes are accessible via accounts with four levels of privileges,” says Adrien.

In return, “we are the eyes of the CSM team. For example, we will alert them if a scope is no longer available, or if a new API endpoint crucial to the application's operation has been forgotten and should be added to the scope.”

Moreover, triagers can help the CSM team recommend hunters with relevant skills. And if a new program is producing unremarkable reports, they might suggest “making the program rules more restrictive to really focus on impactful vulnerabilities”.

Advice for CISOs

Asked for advice for CISOs navigating their first Bug Bounty Program, he highlights clear, unambiguous and timely communication with hunters. “What do you expect from the bug hunter? Keep your program description simple. If someone is on vacation and no one is available to check the report for a few days, warn the hunter. Or if you modified the CVSS, explain why you think the vulnerability is not critical in the context of your organisation.”

As for testing methodologies, he advises: “If it’s possible to provide accounts on the scope, do it, because this will help hunters and triagers to do their job.”

To conclude, what is the standout improvement in YesWeHack’s triage service during Adrien’s time at the company?

“The progress is in the process,” he says. “What started as a basic triage operation has evolved into a robust system with automation and seamless collaboration. I’m incredibly proud of how our team has grown and evolved – they've not only built an efficient process but have become trusted partners to our clients and security researchers alike.”

Interested in learning more about vulnerability triage or launching your first Bug Bounty program? Get in touch with our experts today to see how YesWeHack can support and secure your digital assets!