Negotiate your bugs to win more
When it comes to finding bugs, there are different steps. After finding a bug you will need to negotiate the right value and impact to get money. And I will give you tricks to leverage it.
• members
When it comes to finding bugs, there are different steps. You first need to find a bug, but then, when you report it, how can you evaluate your findings? How can you know if it's a Critical or a Low? Based on the bug bounty world it comes with a metric: the CVSS. And we will use it to evaluate a bug.
Is it a good way to evaluate a bug or not? It depends, it's not perfect and for a lot of bugs, the value can be wrong based on the company. And a bug with the same CVSS in a website can be more impactful than in another website.
So, how can we know and evaluate our bugs if they change based on the company? You can't, and you need to use the CVSS because all the platforms use it. Why? Because this is the most accurate way to evaluate a bug and have a clear reward grid. Some programs use their own CVSS calculator like Shopify, with other metrics so it can change, but most of the programs still use the CVSS 3.1 so you need to learn it.