How We Measure Crowd Performance

Today we’re releasing a change to Bugcrowd’s researcher ranking and points system. We’ve also added some new stats to researcher profiles, giving you an indication of a researcher’s accuracy and the average severity of the issues they submit.

Read more on the Bugcrowd blog.

What follows is a long blog post detailing changes we are making to improve our Crowd reputation measures. The summary is that we are changing Kudos points allocations, replacing Accuracy with Acceptance Rate, and adding Average Submission Priority to researcher profiles. While we are announcing multiple changes, we are confident based on our testing over the last few months that these new measures more accurately reflect the performance of our Crowd members. Read on if you are interested in the nitty gritty details of each change…

I’ve been trying to figure out the average priority number in the new release. If we have a lower number does that mean more critical bugs i.e 2.x = more priority 2’s or is it the opposite so the higher the number, then on average you send in higher priority bugs? How high does that number go?

Average priority is literally an average of all your P1-P5 (wont_fix) priorities.

Lower number means you’re submitting more P1s, higher number means you’re submitting more P4s. It’s pretty natural for even great researchers to be the 3.0 - 4.0 range, depending on the volume they submit.

It’s a little more complicated than “lower is better” - as a researcher, are you a sniper who gets one huge P1 after days of effort? Or are you someone that quickly finds lots and lots of vulns in a target, where some are P1, but many might be P3-P4?

I’m not convinced about the wont fix, i recently found issues that I know I would have fixed and i’m sure others would agree, but customer accepts the risk - there should be something for this that doesn’t impact points unless you have explained all risk acceptance to the bughunters in the scope

I think the wont fix is needed, but there needs to be something else that doesn’t impact accuracy.

1 Like

You should contact in those scenarios.

Bugcrowd are here to facilitate the customers not to challenge how they measure risk

bugcrowd could agree with the hunter but allow the client their own risk acceptance process.

but that might be considered noise.

the forum is a perfect place to discuss