For businesses that launch a bounty program, the initial influx of vulnerability reports can sometimes be overwhelming — with reports of varying quality being submitted by testers. To facilitate the report evaluation process, this feature will ensure that testers who have repeatedly demonstrated quality reports will have precedence in your inbox.
Reports submitted by testers are evaluated on a scale of 1 to 5, with 1 being the lowest quality report and 5 being the best.
The security tester’s average scores will determine that tester’s quality rating.
Security testers with a quality control rating lower than 3 will only be permitted to submit one report per day.
[Updated] Security testers with a quality control rating lower than 3 are not permitted to participate in programs with monetary rewards.
In the future, we will continue to improve the Quality Control, and make it easier for companies to respond to vulnerability reports that reward the best Cobalt security researchers.
To further increase the focus on the importance of providing feedback in a timely manner, we are now displaying response rate and time on all the reward programs. Security researchers invest time and work into making the businesses hosting bounty programs more secure. We hope that this feature will make it easier for our researcher community to navigate the reward programs available through Cobalt.
Response rate is the percentage of reports where feedback has been provided.
Response time is the average time passed from submission of the report to the feedback was provided.
These measures will help security testers determine how long it may take to hear back from a company, and whether companies are timely in responding to reports.
Is there a specific feature that you would like to see added to Cobalt? We are constantly looking for ways to improve our tools for businesses and testers alike. Share your thoughts with us via email or Twitter.