About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Art of Judging Bug Bounties- 1418

Trust SecurityPosted 1 Year Ago
  • In bug bounties, judges are a party between the auditor and the development team who reviews and handles disputes on the findings. Trust, the author of the post, has audited thousands of findings in contests who is giving their opinion on the matter.
  • The judges are like referees in baseball: both teams hate them. Sponsors want to downplay bugs for both money and publicity. Competitors want to inflate their findings in order to profit more. Additionally, none of these people face any consequences for pushing their submissions in one direction or the other.
  • What's the role of the judge? First, they need to go off of the rules designated by the platform. Second, apply their understanding of the bug to get the true impact of the issue to the project. Finally, ignore anything besides the content, including identity of the person, time constraints and other things.
  • When reviewing a finding, there are many things to consider. First, the technical validity. Can the issue actually happen? Hopefully there is a PoC to demonstrate this. Next, the proof is on the reporter and not the judge. If a bug is found, then the line of code or design needs to be explicitly pointed out.
  • Likelihood and impact are the two often considered things with a matrix that generates the total severity from this. Some of these are loss of funds, theft of yield and other things. However, the two layered matrix is not always correct. For instance, low is uncapped - how low is too low for likelihood? There's always debate on this matrix.
  • Within the period of a contest there is an escalation period where finding severity can be challenged. Since there is almost no impact for a user to NOT escalate findings, there is a likelihood of a high ratio. So, they need to filter out the noise and evaluate legit reasons that were provided for changes.
  • When judging, similar to being an umpire, you just always need to make the right call. Don't hesitate to fix mistakes or make an unpopular decision.
  • An interesting view into judging! It's not for the faint of heart but is important to the community. In the only C4 contest I did, I had a bug be considered out of scope when I felt it was in but couldn't argue much for it because it was my first contest. Any time I report a bug, it's immediately downgraded as well, which is a bummer. So, I appreciate the role of the judge to help out :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed