BUGCROWD REPORTING — Program-Specific Tactics
Companion to the generic
report-writingskill. Use when working specifically on Bugcrowd submissions where VRT mapping, OOS-clause rebuttals, or per-program target selection matter.
This skill encodes patterns that apply specifically to Bugcrowd's submission flow. For the generic per-platform templates (HackerOne / Bugcrowd / Intigriti / Immunefi report bodies), use the report-writing skill. For the 7-Question Gate before deciding to report at all, use triage-validation.
1. VRT Category Selection — Search & Fallback Strategy
Bugcrowd's submission form requires a single VRT (Vulnerability Rating Taxonomy) selection. The dropdown's default severity is bound to the chosen node — pick wrong and the form auto-suggests P4 when the actual impact is P3 or P2.
1.1 Search hierarchy (try in order, pick the highest-severity match that still describes the bug)
For any finding, search the VRT dropdown with these terms in this order:
- The bug's primary class — e.g.,
IDOR,XSS,SSRF,auth bypass,2FA bypass - The data category exposed — e.g.,
PII,sensitive data exposure,disclosure of secrets - The control bypassed — e.g.,
broken access control,authentication bypass - The endpoint type — e.g.,
no rate limiting on form > login,no rate limiting on form > change password - The generic parent node — e.g.,
Server Security Misconfiguration > Other,Broken Access Control > Other
1.2 Pick the highest-severity match that still accurately describes the bug
Never select a VRT that misrepresents the bug just to get a higher default severity. Triagers will reassign and may flag the misrepresentation. The discipline is: pick the most specific accurate VRT, then use §2 (Manual Severity Override) if the default is wrong.
1.3 Common mappings worth knowing
| Finding type | First-choice VRT | Fallback |
|---|---|---|
| ATO via missing 2FA on password change | Broken Authentication & Session Management → Second Factor Authentication (2FA/MFA) → Bypass | Broken Auth → Authentication Bypass → Other |
| Password oracle without rate limit | Broken Authentication & Session Management → Authentication Bypass → Other | Server Security Misconfiguration → No Rate Limiting on Form → Login |
| GraphQL introspection / APQ allowlist bypass | Server Security Misconfiguration → Other (justify in body) | Broken Access Control → Other |
| Username → real name PII enumeration | Sensitive Data Exposure → PII Leakage / Disclosure of Secrets → Non-Corporate User | Broken Access Control → Other |
| State desync on security-sensitive action | Application-Level DoS → Other (with state-desync framing) | Server Security Misconfiguration → Other |
| Email/SMS pumping on auth-flow endpoint | Server Security Misconfiguration → No Rate Limiting on Form → Email-Triggering / SMS-Triggering | Server Security Misconfiguration → No Rate Limiting on Action |
| Token brute-force (email-change OTP, password reset) | Broken Authentication → Authentication Bypass → Other | Server Security Misconfiguration → No Rate Limiting on Action |
1.4 If no good VRT exists
Pick Server Security Misconfiguration → Other or Broken Access Control → Other and lead the description body with a "VRT mapping note" explaining why the chosen node is the closest available match and what the bug actually is.
2. Manual Severity Override
Bugcrowd's form lets you manually set Technical Severity separate from the VRT default. The form text itself states: "A severity rating suggested by the VRT is not guaranteed to be the severity rating applied to your submission."
2.1 When to override
Override the VRT default when:
- The chained outcome is a higher severity than the standalone bug class (chain → ATO)
- The VRT category is approximate and its default doesn't reflect the actual impact class
- The program's own Focus Areas explicitly list this outcome at a higher severity than VRT's default
- The data class exposed is more sensitive than the VRT's example uses (e.g., real-name PII vs. handle enumeration)
2.2 How to override (form mechanics)
- Select the VRT that most accurately describes the bug (per §1)
- Note the auto-suggested severity (P4, P3, etc.)
- In the Technical Severity field, manually pick the severity you're requesting
- Add a Severity Request paragraph as the FIRST section of the description body (per §3)
2.3 Don't over-claim
P1 inflation is the fastest way to lose triager trust. Reserve P1 for ATO without interaction, RCE, mass PII exfiltration, fund theft, and similar Critical-bucket impacts. If the chain to P1 requires a separate stolen-cookie premise, file the standalone primitive at P3 and discuss the chain explicitly with cross-references (per §4).
3. Severity-Request Paragraph — Always First in the Body
When the VRT default underrates impact, the FIRST section of the description body should be a severity-request paragraph. This is the first thing the triager reads and it pre-empts the auto-close that often happens when triagers see "P4" in the form.
3.1 Template
## Severity request — please review carefully before applying VRT default
The closest VRT category for this finding is "[chosen VRT]," which Bugcrowd defaults to **P[N] ($X-$Y in [program]'s rubric)**. **I am requesting evaluation at P[M] [standalone | in chain with submission XXXX]** for the following reasons:
1. **[Impact axis 1]** — [specific reason this finding exceeds the VRT default's example]
2. **[Impact axis 2]** — [specific reason, often citing the program's own Focus Areas]
3. **[Impact axis 3]** — [specific reason, often comparing to historical bounty payouts for the same data class]
[Optional: one paragraph contrasting the VRT default's typical example with this finding's actual impact, e.g., "P4 = No Rate Limiting on Login Form" applies to ordinary login pages where brute force is bounded by lockout policies; this endpoint has neither lockout nor throttle.]
3.2 Worked example pattern
## Severity request — please review carefully before applying VRT default
The closest VRT category for this finding is "No Rate Limiting on Form → Login," which Bugcrowd defaults to **P4 ($XX–$YY in this program's rubric)**. **I am requesting evaluation at P3 standalone, P2 in chain with submission XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX** for the following reasons:
1. **[Endpoint] is a password-disclosure oracle, not a generic rate-limit gap.** The endpoint returns true/false for a supplied password — combined with cookie theft, it is the exact primitive an attacker uses to learn the victim's *durable* credential from a stolen *transient* session.
2. **The chained outcome is "Account Takeover,"** explicitly listed under the program → Focus Areas → Critical (P1) examples. This finding is one of two independent links that make that chain work; the other is submission XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.
3. **The two findings have independent fix surfaces.** Per the program's "one fix = one bounty" rule they should be evaluated as two separate findings whose chain raises the joint severity.
The "P4 = No Rate Limiting on Login Form" default applies to ordinary login pages where brute-force is bounded by lockout policies. This endpoint has neither lockout nor throttle, and the result of brute force is the *user's actual password* (not a session) — making the impact significantly higher than the default VRT severity assumes.
3.3 Tone guidelines
- Open with "Severity request — please review carefully before applying VRT default" (literal phrase). Triagers recognize this and don't auto-close.
- Use bold sparingly; one or two phrases per reason at most.
- Never use "could potentially" or "may allow" — these are downgrade-bait.
- Cite the program's own Focus Areas / accepted-impact list by exact name.
- Cross-reference li