Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

How to Evaluate Vulnerability Reports

In any marketplace, mutual trust and respect between buyers and sellers is vital. Here are a few tips to help you evaluate a reported...

In any marketplace, mutual trust and respect between buyers and sellers is vital. Here are a few tips to help you evaluate a reported vulnerability in Cobalt.


In business and in security, one thing is certain: time is of the essence. For businesses hosting rewards programs through Cobalt, evaluating vulnerability reports in a quick and timely manner is an important step in strengthening your web security.

  • Reviewing reports within 24 to 48 hours of receiving them will help your organization stay ahead of emerging security threats and scheduling time for security patches.

  • Because our researchers have invested hours of time and effort into making your technology more secure, their diligent work deserves a timely response.

  • To help you keep track of vulnerability reports, Cobalt sends weekly report reminders.

In our reward programs, he (or she!) who submits a strong vulnerability report first usually wins — so for security researchers, reporting a bug in a timely manner could be the difference between reaping rewards for hard work or being too late to the game.

To reward or not to reward?

That is the question, and only those hosting a bug bounty program can answer that. Here are a few of guidelines to help you best determine when and how to reward researchers:

  • If a researcher finds a bug that a business will fix, that bug should be rewarded.

  • If a researcher finds a bug that is out of the predefined scope of your program, it is best to mark it “Out of Scope” and give feedback to the researcher on why the vulnerability will not be rewarded.

  • If a researcher finds a vulnerability out of the scope of your bounty program, but a business patches it, the bug should be rewarded to the researcher. (If this happens one more more times, you may want to widen the scope of your program.)

Because the Cobalt platform hosts over a thousand security researchers, it is possible for businesses to receive multiple bug reports from different researchers on the same issue. In these cases, it is up to the company hosting the bounty program to decide who wins the reward.

Communication is key

Feedback is one of the most important tools in the Cobalt platform. During the feedback process, companies hosting bounty programs have the ability to evaluate reports submitted by users. Because the Report Quality Rating is an important measure of a researcher’s Hall of Fame score, it is important to evaluate vulnerability reports on these criteria:

  • Was the report relevant to program scope?

  • Was the report concise?

  • Were the steps to reproduce the issue clear?

For security researchers, it is an invaluable tool that encourages continued research for bugs while also providing them providing insight from companies on their performance. For companies, it is a tool that can be used to build rapport and share information with researchers who regularly find and help close important security bugs.

Do you have questions about Cobalt vulnerability reports, or tips to share for giving (or receiving) feedback? Let us know:!

Back to Blog
About Julie Kuhrt
Julie Kuhrt is a former community content manager at Cobalt. With nearly a decade of experience across community and marketing teams, Julie brought a wealth of expertise and experience to her programs at Cobalt. More By Julie Kuhrt
Cybersecurity Regulation within Wealth Management
At H2Cyber we leverage Cobalt’s Pentest as a Service model because it allows our clients to execute with speed, scale as needed, and retest to ensure fixes are functioning correctly.
Mar 14, 2022