[BB] Decreasing rewards for Systemic Issues
Key changes
Program Managers can now set different rewards for similar reports on the same scope.
Impact
Some vulnerabilities can be reported multiple times when triggered through different parameters (for example, XSS affecting different parameters on the same vulnerable page). These are referred to as systemic issues.
As a result, a Hunter could submit separate reports for each affected parameter. While these reports are technically valid, they can create budget constraints for the organisation or lead to duplicate reports — causing frustration for Hunters when those reports are rejected.
This new feature facilitates report management and provides Hunters with clear visibility into the program’s reward policy.
Audience
Program Managers that would like to reward submitted vulnerabilities without depleting their budget on similar bugs.
Hunters that will have a clearer view of the program’s rules.
Usage
A new option is available within the program configuration page to set decreasing rewards for systemic issues:
Organisation's view
Program Managers can set the value of the rewards relative to the 1st report bounty.
The first 2 reports will be rewarded at 100% of the bounty value. This is consistent with current triage practices.
Program Managers can set values for up to six reports. Any subsequent reports will receive the same value as the 6th one.
For now, this feature is disabled by default. Reach out to your CSM to activate it!
Hunters' view
Triage’s assessment takes into account Systemic Issues' decreasing grid in the reward suggestions.
[BB] Qualifying Leaks & Credentials
Key changes
Program Managers can now formally configure rules for leaks and exposed credentials directly in the platform when creating or editing a program.
Impact
Program Managers previously needed to manually copy and paste templates for leaks and credentials eligibility. This was a tedious manual task for them.
Hunters will be less likely to submit unwanted leaks or credential exposure reports thanks to this new dedicated program section.
Audience
Program Managers who want to define which types of leaks are acceptable within specific scopes.
Hunters discovering the program and identifying what qualifies for a reward.
Usage
A new table is now available in the program configuration page:
Organisations' view
Program Managers can set the eligibility of leaks and credentials depending on:
The source of the leak (i.e., is the source an asset in scope of this program)
The impacted asset (i.e., is the asset in scope of this program)
For now, this feature is disabled by default. Reach out to your CSM to activate it!
Hunters' view
[CORE] SLA Dashboard
Key changes
This new dashboard enables a more comprehensive tracking of SLA data across the platform.
Impact
Business Unit Owner and Program Managers can now track and export aggregated data related to SLA.
Users now have access to a dedicated dashboard to monitor the remediation of their reports, directly in the platform.
Audience
Business Unit Owners & Program Managers who want to have an overview of their remediation efficiency and track their reports' remediation timelines.
Usage
A new "SLA Compliance" tab is now available in the Dashboard section.
This tab features data & charts related to report remediation:
Data can be grouped by month or quarter, and filtered by:
BU & Programs
Severity
Priority
Bug Type
Tags
Sources
All Vulnerability Center reports with an SLA are represented on the charts, including those already closed & resolved.
It is possible to export the data as a CSV file, or to export each chart as a PNG image.
Clicking on the number of “Open reports overdue” will open the Vulnerability Center with a filtered view on these reports.
The “SLA Goals” chart provides an overview of all overdue and on-time reports.
The “Number of reports on time vs overdue” chart shows, for each month, the number of on-time vs overdue reports.
The final chart displays the average number of days for remediation (“Accepted” to “Resolved”) by Severity and over the past 12 months.
[CORE] Configurable Email Notifications
Key changes
A brand new Notification Center has been released in the platform. You can now access all your events in this dedicated page. You can also configure which type of notifications you would like to receive via emails.
Impact
Previously, all report activity information was received via email, giving full visibility but often requiring custom rules to manage the volume.
You can now easily configure which type of notifications you would like to receive, avoiding the need to create multiple rules.
Audience
Any user who would like to subscribe to a certain type of email notifications only (e.g., new comment on a report for Hunters, or new Triager assessment for organisations).
Business Unit Owners or Business Unit Managers wanting to browse through events of different Business Units.
Program Managers going through specific events of a given program.
Usage
When there’s an activity on a report or on a program, users are automatically notified by email and by in-app notifications. They are also notified of invitations on a Business Unit, a Program or a Report.
A new "bell" icon is now displayed at the top right of the platform banner. Clicking this icon allows users to access the Notification Center where all received notifications (both read and unread) are shown.
A red dot shows up next to the “bell” icon when there is an unread notification.
Notification Center
Find all your event notifications grouped by date
Mark notifications as read individually, or click on “Mark all as read”
Filter notifications by report events (and by Business Units for organisations)
Configuration Panel
This new section is now available in User Settings. Users can select which type of report event they would like to receive via email.
