TL;DR Changelog 39:
- Edit or remove messages on submissions within 15 min of posting
- Updates around contextual CVSS scoring tool
- CVSS selection as default on severity assessment
- Integrated tooltips and links to first.org
- CVSS vector included in the submission exports
- Copy/past functionality on CVSS vector
- New Customer story with CM.com
Communication is key
Communicating with others about a bug or vulnerability that has been found and submitted as report is one of the necessary key features for a bug bounty platform. Communication between the relevant stakeholders should be quick, easy and transparent but also provide some assurance about the follow-up and help to keep track of key details. That’s why Intigriti has build it’s messaging system entirely around incoming submissions – here is where the most back and forth between researchers, companies and our Triage team will happen.
By design, we usually want these messages to be mostly permanent, as a record of how a submission is processed and how information is exchanged. This is security relevant information, so altering messages that had been send previously could shift the context and lead to misunderstandings or suddenly misrepresent previous agreement. That’s why status changes are also logged together with messages: You get a nice and chronological insight into what happened with a submission, from the moment reported to being resolved.
Events and feedback show in the message overview of a submission in strict order
To err is human, to forgive divine (design)
Now, this design principle is great for its factfulness. Meticulously keeping track of what is happening almost makes an audit trail out of ongoing communication. But we are all humans (at least I have no proof of other species working with intigriti) and as above: To err is human. Everybody makes mistakes, be it the occasional spelling error, addressing someone by the wrong name or even just submitting a message to early.
Yeah, so how about it?
Introducing: Edit/Remove Messages
Even if it means introducing some flexibility, being able to adjust smaller mistakes is a much better user experience than having all mistakes on permanent record, forever. But how can that be aligned with the design principle talked about earlier?
In the usual interaction between those that would send messages to each other on submissions communication is not expected to be conducted instantly. Messages on submissions are not a “chat” in that sense. Think of Facebook (back when it became popular) – there was all a wall to post messages that could be visible to selected other users and there was also a separate chat feature. Submission messages are much more like the former than the latter.
This leads to our conclusion in how exactly we would add a edit/remove functionality for messages on our platform. Within 15 min of posting, messages can now be edited or removed. Most of the time the intended recipient would not have seen them yet anyway but this still allows the correction of awkward spelling errors, unwanted information disclosure or simply sending messages prematurely.
Keeping the above limitation in mind, the rest is simple
Again: For full transparency, there’s a note if a message has been edited or removed
“Mistakes happen! That’s why there are pencils with erasers”
What else have we got going on?
For programs using the contextual CVSS score there’s an exciting update to the user interface and experience for both researchers and customers:
- On programs using the contextual CVSS score, the default view for researchers on submission is now always the CVSS vector selection
- The individual vectors have gotten tooltips and links to first.org documentation, helping researchers in objective judgement of severity
- For customers, severity vector strings can now easily be copied to clipboard and will also show in both .pdf and .csv reports
- We’ve also released a new customer testimonial. If you want to know what makes intigriti such an awesome bug bounty platform to partner with, check out what CM.com has to say
- We’ve made further improvements to our Dark Theme. For example, some font colors were very hard to read on some colored backgrounds. We are aiming for continuous improvement of course, so please let us know if you notice anything that you feel isn’t really clear or just might not look that great
In changelog 38, we discussed the awesomeness of Live Hacking Events (LHE). Well, it got even better because a few researchers earned a CVE with their findings, found during our latest LHE with Yahoo! How cool is that!