BIPI
BIPI

Triage Psychology: How Triagers Read Your Report

Cybersecurity

Triagers see hundreds of reports a week. The ones they accept fast, calibrate high, and remember fondly all share patterns. Learn how triagers think, what they skip, and how to write so your report lands right.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 17, 2023 · 8 min read

#triage#reports#bug-bounty#psychology#communication

Triagers are tired

A platform triager reviews fifty to two hundred reports a week, most of which are duplicates, scanner noise, or out of scope. By the time your report hits their queue, they are skimming, not reading. Write for the skim, not the deep read.

The first thirty seconds

  • Title, scanned in two seconds, must say exactly what the bug is.
  • Summary, scanned in ten seconds, must state the impact and the asset.
  • Steps to reproduce, scanned for clarity and ease, must be copy paste ready.
  • PoC, opened only if the first three pass the skim, must work on first try.

Title patterns that trigger high attention

  1. Authenticated account takeover via misconfigured OAuth on api.target.com.
  2. Pre auth SSRF reaching AWS metadata on staging.target.com.
  3. Stored XSS in admin panel comments leading to session theft.
  4. IDOR on /api/v2/users exposing PII for all customers.

What triagers love

  • Working PoC that takes less than two minutes to reproduce.
  • Clear impact statement aligned to the program's severity model.
  • Screenshots showing the bug and the impact, not just the bug.
  • Polite tone, even when challenged on severity.
  • Disclosure of any prior testing or related reports, which builds trust.

What triagers hate

  • Wall of text PoC with no formatting and no clear repro steps.
  • Impact paragraphs claiming critical severity for low impact bugs.
  • Aggressive demands for higher payout in the first message.
  • Reports that require the triager to set up a custom environment.
  • Theoretical impact, where the chain is described but never demonstrated.

The triager calibration mindset

Triagers default to the lower severity when in doubt. They are accountable to the program for paying correctly, and overpaying is more visible than underpaying. Your job is to remove all doubt, so the calibration lands at the right tier without thinking.

When triage pushes back

  1. Read their message carefully, often the answer is in the program brief.
  2. Respond with new evidence, not new arguments, evidence wins disputes.
  3. Stay calm, the triager will discuss with the program team if you respect their process.
  4. Accept their decision after one back and forth, repeated push back loses good faith.

Reports triagers remember

A clean, well chained High that took the triager five minutes to validate is the kind of report that gets you private invites months later. Triagers talk to each other across programs, and a reputation for clarity travels fast.

The best report is the one a tired triager finishes reading and immediately knows the answer.

Building triager trust over time

  • Always disclose related context, even if it might lower severity slightly.
  • Withdraw reports that you realize are wrong before the triager spends time on them.
  • Re-test for free when fixes deploy, even if the program does not require it.
  • Reference past reports on the same program, helping triagers connect chains.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.