I am here to discuss about the response times of your submission from low to high priority bugs in bugcrowd.
What made me discuss this topic :
1.It’s been more then a month and i haven’t got my first response from bugcrowd team for critical bugs like IDOR,XSS,Authentication bypass.
2.response for the Duplicate and won’t fix bug’s reply always comes very fast but un predictable for other critical and eligible bug’s submissions.
3.Some of my bugs has been pending for more then 2 months which are again critical like XSS,IDOR etc.
I am having Above mentioned issues from bugcrowd . Am i the only one who is facing these issues or it’s a common behaviour for every security researcher on bugcrowd ? Contacting bugcrowd support doesn’t help much for these issues.
What is your opinion about the response time for bugs ?
Response time varies by program and if the program is managed by program. I believe you have pending bugs with Tagged, which is a program managed by Tagged.
I noticed you emailed us recently and our response said that we’d work with Tagged to get those bugs addressed soon. That’s still the case, I’m sorry for your continued wait.
Thanks for your quick response. Yes you have a correct information regarding Tagged and i am not much concerned about the bugs which are in pending state or Associated with specific program here.
Let me give you a recent example here. I reported critical category bugs in indeed about a month ago. Usually i get the first response within 3-5 working days but in this case it’s been a month and i haven’t even got a first response from bugcrowd but with these bugs i submitted some bugs which were duplicate or low priority bugs and i got response within 2 days for those bugs. You can verify this by submissions from my account.
Even if i don’t consider program specific(Ex: Tagged) problems there are issues which the Bugcrowd Team who verifies the bugs and sent to company.
Can you please give some brief information what exactly the issue here. Is there anything i am missing from my side ? What is the POC if i or any researcher have this kind of issues ?
It’ll be very helpful if you go through my submissions once and address the actual issue here.
Best Regards !
The best thing to do is email us at email@example.com and we can look into it. If you’ve done in the past, and you still haven’t received an update from the customer, you should try contacting us again.
We’re learning every day how we can best keep our customers and the researchers happy and well taken care of. This particular kind of issue is something that we’re working to improve on, with recent investments in our internal-teams so we can have more bandwidth to work with customers and researchers.
Please feel free to contact us again and one of our team members can look into this issue further.
My record is a year… right now I’ve got some bugs hanging back that are about 3-4 months old… I usually harass firstname.lastname@example.org in that case. The one thing that bugs me is that we aren’t supposed to move to public disclosure with bugcrowd bounties, but if companies just drag their feet they can avoid it (because we are such law abiding citizens we wouldn’t dare go agains the T’s and C’s)… If it were a company running it’s own bounty and they didn’t respond within 1-2 months after a few follow-up e-mails… their vulnerabilities would be splashed over bugtraq/full disclosure mailing lists pretty quick.