Cale

Alright, A few thoughts on the triage discussion. Everyone is talking about AI slop, but I think it’s exposing a bigger issue that’s existed for years. Bug bounty still doesn’t have shared standards for triage or mediation. The same report can receive completely different outcomes depending on the platform, customer, triager or mediator involved. That was frustrating when report volume was manageable. 1/?

Personally I’d love to see two open standards emerge. A triage standard maintained by HackerOne since they have the strongest technical team out of any platform (I’m biased here) A mediation standard maintained by Immunefi since they seem to handle it the best Not owned by them. Maintained by them. And adopted by every platform Put both in public GitHub repositories. Let hackers, customers and platforms propose changes, discuss them publicly and vote on them. If AI is going to increase report volume by 10x or 100x, the least we can do is make sure that we have clear consistent standards across every platform The goal should be to make bug bounty more consistent, transparent and scalable before AI forces the issue for everyone. 3/3

We have CVEs. We have CWEs. We have CVSS. We don’t have an equivalent standard for how reports are triaged, how duplicates are handled, how impact is assessed, how mediation works or what happens when there is a dispute. Instead every platform and customer has their own interpretation of the rules. 2/3