bugcrowd-reporting
This skill provides Bugcrowd-specific tactics for vulnerability submission optimization. Use it when filing Bugcrowd reports where VRT category selection matters, when the auto-assigned severity underrates impact, when triagers cite out-of-scope clauses needing rebuttal, when linking related findings across submissions, or when differentiating between QA and production targets. It pairs with generic report-writing guidance for multi-platform templates and triage-validation frameworks for pre-submission vetting.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/bugcrowd-reporting && cp -r /tmp/bugcrowd-reporting/skills/bugcrowd-reporting ~/.claude/skills/bugcrowd-reportingSKILL.md
# BUGCROWD REPORTING — Program-Specific Tactics > Companion to the generic `report-writing` skill. Use when working specifically on Bugcrowd submissions where VRT mapping, OOS-clause rebuttals, or per-program target selection matter. This skill encodes patterns that apply specifically to Bugcrowd's submission flow. For the generic per-platform templates (HackerOne / Bugcrowd / Intigriti / Immunefi report bodies), use the `report-writing` skill. For the 7-Question Gate before deciding to report at all, use `triage-validation`. --- ## 1. VRT Category Selection — Search & Fallback Strategy Bugcrowd's submission form requires a single VRT (Vulnerability Rating Taxonomy) selection. The dropdown's default severity is bound to the chosen node — pick wrong and the form auto-suggests a lower priority (often P4) when the actual impact is P3 or P2. > Note: VRT default severities are not fixed constants. Bugcrowd revises the VRT schema across versions, and individual programs can remap defaults via their own priority configuration. The P-values shown in the examples below (e.g., "No Rate Limiting on Form → Login" defaulting to P4) are the typical baseline at time of writing — always read the severity the *current* form actually auto-suggests for *this* program rather than assuming the value here. ### 1.1 Search hierarchy (try in order, pick the highest-severity match that still describes the bug) For any finding, search the VRT dropdown with these terms in this order: 1. **The bug's primary class** — e.g., `IDOR`, `XSS`, `SSRF`, `auth bypass`, `2FA bypass` 2. **The data category exposed** — e.g., `PII`, `sensitive data exposure`, `disclosure of secrets` 3. **The control bypassed** — e.g., `broken access control`, `authentication bypass` 4. **The endpoint type** — e.g., `no rate limiting on form > login`, `no rate limiting on form > change password` 5. **The generic parent node** — e.g., `Server Security Misconfiguration > Other`, `Broken Access Control > Other` ### 1.2 Pick the highest-severity match that still accurately describes the bug Never select a VRT that misrepresents the bug just to get a higher default severity. Triagers will reassign and may flag the misrepresentation. The discipline is: pick the most specific *accurate* VRT, then use §2 (Manual Severity Override) if the default is wrong. ### 1.3 Common mappings worth knowing | Finding type | First-choice VRT | Fallback | |---|---|---| | ATO via missing 2FA on password change | Broken Authentication & Session Management → Second Factor Authentication (2FA/MFA) → Bypass | Broken Auth → Authentication Bypass → Other | | Password oracle without rate limit | Broken Authentication & Session Management → Authentication Bypass → Other | Server Security Misconfiguration → No Rate Limiting on Form → Login | | GraphQL introspection / APQ allowlist bypass | Server Security Misconfiguration → Other (justify in body) | Broken Access Control → Other | | Username → real name PII enumeration | Sensitive Data Exposure → PII Leakage / Disclosure of Secrets → Non-Corporate User | Broken Access Control → Other | | State desync on security-sensitive action | Application-Level DoS → Other (with state-desync framing) | Server Security Misconfiguration → Other | | Email/SMS pumping on auth-flow endpoint | Server Security Misconfiguration → No Rate Limiting on Form → Email-Triggering / SMS-Triggering | Server Security Misconfiguration → No Rate Limiting on Action | | Token brute-force (email-change OTP, password reset) | Broken Authentication → Authentication Bypass → Other | Server Security Misconfiguration → No Rate Limiting on Action | ### 1.4 If no good VRT exists Pick `Server Security Misconfiguration → Other` or `Broken Access Control → Other` and **lead the description body with a "VRT mapping note"** explaining why the chosen node is the closest available match and what the bug actually is. --- ## 2. Manual Severity Override Bugcrowd's form lets you manually set Technical Severity *separate from the VRT default*. The form text itself states: *"A severity rating suggested by the VRT is not guaranteed to be the severity rating applied to your submission."* ### 2.1 When to override Override the VRT default when: - The chained outcome is a higher severity than the standalone bug class (chain → ATO) - The VRT category is approximate and its default doesn't reflect the actual impact class - The program's own Focus Areas explicitly list this outcome at a higher severity than VRT's default - The data class exposed is more sensitive than the VRT's example uses (e.g., real-name PII vs. handle enumeration) ### 2.2 How to override (form mechanics) 1. Select the VRT that most accurately describes the bug (per §1) 2. Note the auto-suggested severity (P4, P3, etc.) 3. In the **Technical Severity** field, manually pick the severity you're requesting 4. Add a **Severity Request** paragraph as the FIRST section of the description body (per §3) ### 2.3 Don't over-claim P1 inflation is the fastest way to lose triager trust. Reserve P1 for ATO without interaction, RCE, mass PII exfiltration, fund theft, and similar Critical-bucket impacts. If the chain to P1 requires a separate stolen-cookie premise, file the standalone primitive at P3 and discuss the chain explicitly with cross-references (per §4). --- ## 3. Severity-Request Paragraph — Always First in the Body When the VRT default underrates impact, the FIRST section of the description body should be a severity-request paragraph. This is the first thing the triager reads and it pre-empts the auto-close that often happens when triagers see "P4" in the form. ### 3.1 Template ```markdown ## Severity request — please review carefully before applying VRT default The closest VRT category for this finding is "[chosen VRT]," which Bugcrowd defaults to **P[N] ($X-$Y in [program]'s rubric)**. **I am requesting evaluation at P[M] [standalone | in chain with submission XXXX]** for the following reasons:
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember