Question

Your job as a hacker doesn’t stop the moment you submit the report. As the person who discovered the vulnerability, you should help the company fix the issue and make sure the vulnerability is fully patched.

作为一名黑客，你的工作不会在提交报告的那一刻结束。作为发现漏洞的人，你应该帮助公司修复问题，并确保漏洞得到充分修补。

Let’s talk about how to handle your interactions with the security team after the report submission, and how to build strong relationships with them. Building a strong relationship with the security team will help get your reports resolved more quickly and smoothly. It might even lead to bigger bug bounty payouts if you can consistently contribute to the security of the organization. Some bug bounty hunters have even gotten interviews or job offers from top tech firms because of their bug bounty findings! We’ll go over the different states of your report, what you should do during each stage of the mitigation process, and how to handle conflicts when communicating with the security team.

让我们谈谈如何处理提交报告后与安全团队的互动，并与他们建立牢固的关系。与安全团队建立良好的关系将有助于更快、更顺利地解决报告问题。如果您可以持续为组织的安全做出贡献，这甚至可能导致更高的漏洞赏金支付。一些漏洞赏金猎人甚至因他们的漏洞发现而得到了顶级科技公司的面试或工作机会！我们将探讨报告的不同状态，在缓解过程的每个阶段中应该做些什么，以及在与安全团队沟通时如何处理冲突。

Understanding Report States

Once you’ve submitted your report, the security team will classify it into a report state , which describes the current status of your report. The report state will change as the process of mitigation moves forward. You can find the report state listed on the bug bounty platform’s interface, or in the messages you receive from security teams.

一旦您提交了您的报告，安全团队将对其进行分类，以描述您的报告的当前状态。随着减轻过程的推进，报告状态将发生变化。您可以在漏洞赏金平台的界面上找到报告状态，或在您从安全团队收到的消息中找到报告状态。

Need More Information

One of the most common report states you’ll see is need more information . This means the security team didn’t fully understand your report, or couldn’t reproduce the issue by using the information you’ve provided. The security team will usually follow up with questions or requests for additional information about the vulnerability.

你最常见到的报告之一是需要更多信息。这意味着安全团队没有完全理解你的报告，或者无法通过你提供的信息复现问题。安全团队通常会跟进问题或请求有关漏洞的其他信息。

In this case, you should revise your report, provide any missing information, and address the security team’s additional concerns.

在这种情况下，你应该修改你的报告，提供任何缺失的信息，并应对安全团队提出的额外关注。

Informative

If the security team marks your report as informative , they won’t fix the bug. This means they believe the issue you reported is a security concern but not significant enough to warrant a fix. Vulnerabilities that do not impact other users, such as the ability to increase your own scores on an online game, often fall into this category. Another type of bug often marked as informative is a missing security best practice, like allowing users to reuse passwords.

如果安全团队将您的报告标记为“有用”，则他们不会修复该漏洞。这意味着他们认为您报告的问题是安全问题，但不足以需要解决。不会影响其他用户的漏洞（如在在线游戏中增加自己的分数的能力）通常属于此类别。另一种通常标记为“有用”的错误是缺失的安全最佳实践，例如允许用户重复使用密码。

In this case, there’s nothing more you can do for the report! The company won’t pay you a bounty, and you don’t have to follow up, unless you believe the security team made a mistake. However, I do recommend that you keep track of informative issues and try to chain them into bigger, more impactful bugs.

在这种情况下，你对这份报告已经无能为力了！公司不打算支付你赏金，而且你也不需要跟进，除非你认为安全团队犯了错误。不过，我建议你继续追踪信息问题，并尝试将它们链接成更大、更有影响力的漏洞。

Duplicate

A duplicate report status means another hacker has already found the bug, and the company is in the process of remediating the vulnerability.

重复报告状态意味着另一个黑客已经发现了漏洞，并且公司正在修复这个漏洞的过程中。

Unfortunately, since companies award bug bounties to only the first hacker who finds the bug, you won’t get paid for duplicates. There’s nothing more to do with the report besides helping the company resolve the issue. You can also try to escalate or chain the bug into a more impactful bug. That way, the security team might see the new report as a separate issue and reward you.

很遗憾，因为公司只向第一个发现漏洞的黑客授予漏洞赏金，因此重复提交的漏洞是无法获得报酬的。除了帮助公司解决问题外，报告中没有其他事情可做。您还可以尝试将漏洞升级或链接至更具影响力的漏洞。这样，安全团队可能会将新报告视为单独的问题并奖励您。

N/A

A not applicable ( N/A ) status means your report doesn’t contain a valid security issue with security implications. This might happen when your report contains technical errors, or if the bug is intentional application behavior.

"N/A 状态意味着您的报告中没有安全问题或安全问题对应的有效信息。这可能是由于您的报告存在技术错误，或者该漏洞是应用程序的意料之中的行为所致。"

N/A reports don’t pay. There is nothing more for you to do here besides move on and continue hacking!

N/A 报告不会付款。除了继续黑客攻击之外，你在这里没有更多事要做了！

Triaged

Security teams triage a report when they’ve validated the report on their end. This is great news for you, because this usually means the security team is going to fix the bug and reward you with a bounty.

安全团队在验证报告后进行分类处理。这对你来说是个好消息，因为这通常意味着安全团队将修复漏洞并奖励你赏金。

Once the report has been triaged, you should help the security team fix the issue. Follow up with their questions promptly, and provide any additional information they ask for.

一旦报告被分类，您就应该帮助安全团队修复该问题。尽快跟进他们的问题，并提供他们所要求的任何附加信息。

Resolved

When your report is marked as resolved , the reported vulnerability has been fixed. At this point, pat yourself on the back and rejoice in the fact that you’ve made the internet a little safer. If you are participating in a paid bug bounty program, you can also expect to receive your payment at this point!

当您的报告被标记为已解决时，报告的漏洞已经被修复。此时，请给自己打个“赞”，并欣喜地看到您让互联网更加安全了一点。如果您参加的是有偿漏洞赏金计划，那么此时您也可以期待收到您的报酬！

There’s nothing more to do with the report besides celebrate and continue hacking.

除了庆祝并继续攻击之外，报告没有更多的事情要做了。

Dealing with Conflict

Not all reports can be resolved quickly and smoothly. Conflicts inevitably happen when the hacker and the security team disagree on the validity of the bug, the severity of the bug, or the appropriate payout amount. Even so, conflicts could ruin your reputation as a hacker, so handling them professionally is key to a successful bug hunting career. Here’s what you should do if you find yourself in conflict with the security team.

并非所有报告都能迅速和顺利地解决。当黑客和安全团队就漏洞的有效性、严重程度或适当的红利金额存在分歧时，冲突不可避免。即便如此，冲突可能会毁掉你作为黑客的声誉，因此，处理冲突是一个成功的漏洞狩猎生涯的关键。如果您与安全团队发生冲突，以下是您应该做的事情。

When you disagree with the security team about the validity of the bug, first make sure that all the information in your initial report is correct. Often, security teams mark reports as informative or N/A because of a technical or writing mistake. For example, if you included incorrect URLs in your POC, the security team might not be able to reproduce the issue. If this caused the disagreement, send over a follow-up report with the correct information as soon as possible.

当您对安全团队关于缺陷的有效性有异议时，请首先确保初始报告中的所有信息都是正确的。通常，由于技术或写作错误，安全团队将报告标记为“信息性”或“N/A”。例如，如果您在 POC 中包含了错误的 URL，则安全团队可能无法重现问题。如果这引起了分歧，请尽快发送带有正确信息的后续报告。

On the other hand, if you didn’t make a mistake in your report but still believe they’ve labeled the issue incorrectly, send a follow-up explaining why you believe that the bug is a security issue. If that still doesn’t resolve the misunderstanding, you can ask for mediation by the bug bounty platform or other security engineers on the team.

另一方面，如果您在报告中没有犯错误，但仍然认为他们错误地标记了问题，请发送后续说明为什么您认为该漏洞是安全问题。如果仍然不能解决误解，您可以要求 Bug 赏金平台或团队中的其他安全工程师进行调解。

Most of the time, it is difficult for others to see the impact of a vulnerability if it doesn’t belong to a well-known bug class. If the security team dismisses the severity of the reported issue, you should explain some potential attack scenarios to fully illustrate its impact.

大多数情况下，如果漏洞不属于知名的漏洞类别，其他人很难看到其影响。如果安全团队忽略了所报告问题的严重性，您应该解释一些潜在的攻击情景，以充分说明其影响。

Finally, if you’re unhappy with the bounty amount, communicate that without resentment. Ask for the organization’s reasoning behind assigning that bounty, and explain why you think you deserve a higher reward. For example, if the person in charge of your report underestimated the severity of the bug, you can elaborate on the impact of the issue when you ask for a higher reward. Whatever you do, always avoid asking for more money without explanation.

最后，如果你对悬赏金额感到不满意，不要带着怨恨沟通。询问组织分配悬赏的理由，并解释为什么你认为自己应该获得更高的奖励。例如，如果负责你报告的人低估了漏洞的严重程度，当你要求更高的奖励时，你可以详细说明问题的影响。无论你做什么，都要避免没有解释地要求更多的钱。

Remember, we all make mistakes. If you believe the person handling your report mishandled the issue, ask for reconsideration courteously. Once you’ve made your case, respect the company’s final decision about the fix and bounty amount.

请记住，我们都会犯错误。如果你认为处理你的报告的人处理了问题，请礼貌地请求重新考虑。一旦你提出了你的要求，尊重公司对修复和赏金数额的最终决定。

Building a Partnership

The bug bounty journey doesn’t stop after you’ve resolved a report. You should strive to form long-term partnerships with organizations. This can help get your reports resolved more smoothly and might even land you an interview or job offer. You can form good relationships with companies by respecting their time and communicating with professionalism.

在解决漏洞报告后，漏洞赏金计划之旅并不会停止。您应该努力与组织建立长期合作关系。这可以帮助您更顺利地解决报告，甚至可能获得面试或工作机会。您可以通过尊重他们的时间并以专业的方式沟通，与公司建立良好的关系。

First, gain respect by always submitting validated reports. Don’t break a company’s trust by spamming, pestering them for money, or verbally abusing the security team. In turn, they’ll respect you and prioritize you as a researcher. Companies often ban hunters who are disrespectful or unreasonable, so avoid falling into those categories at all costs.

首先，通过始终提交经过验证的报告获得尊重。不要通过垃圾邮件、催要付款或口头虐待安全团队破坏公司的信任。反过来，他们会尊重你并将你视为研究人员的优先考虑对象。公司通常禁止不尊重或不合理的猎人，因此要尽可能避免落入这些类别。

Also learn the communication style of each organization you work with. How much detail do they expect in their reports? You can learn about a security team’s communication style by reading their publicly disclosed reports, or by incorporating their feedback about your reports into future messages. Do they expect lots of photos and videos to document the bug? Customize your reports to make your reader’s job easier.

还要学习与每个你合作的组织的沟通风格。他们期望在报告中看到多少细节？通过阅读他们公开披露的报告或将他们对你的报告的反馈纳入未来的消息中，你可以了解一个安全团队的沟通风格。他们期望看到大量的照片和视频来记录漏洞吗？定制你的报告，使你的读者的工作更轻松。

Finally, make sure you support the security team until they resolve the issue. Many organizations will pay you a bounty upon report triage, but please don’t bail on the security team after you receive the reward! If it’s requested, provide advice to help mitigate the vulnerability, and help security teams confirm that the issue has been fixed. Sometimes organizations will ask you to perform retests for a fee. Always take that opportunity if you can. You’ll not only make money, but also help companies resolve the issue faster.

最后，确保在安全团队解决问题之前给予他们支持。许多组织会在报告整理后向您支付赏金，但请不要在获得奖励后放弃安全团队！如果需要，提供建议以帮助减轻漏洞，并帮助安全团队确认问题是否已得到解决。有时组织会要求您进行再测试以获取费用。如果可以，一定要抓住这个机会。您不仅可以赚钱，还可以帮助企业更快地解决问题。