Skip to content
Severity Labs

Principles

How we think about the work.

Ten stances that drive how we triage. Some are technical, some are operational, all are non-negotiable for us.

  1. No silent closures.

    Every report gets a written reply, even if it's closed in five minutes. Hunters keep submitting where they get answers. Silence is the cheapest way to lose your best researchers.

  2. CVSS is the floor, not the ceiling.

    Base score tells you the worst case. Risk lives in your environment — what asset, what data, what compensating controls. Both numbers go in the report; engineers act on the second.

  3. Reproduce, then write.

    Triagers who write up reports they haven't reproduced ship low-quality tickets and burn engineering trust. We reproduce every valid finding before it leaves our queue.

  4. Dedup is a discipline.

    Most duplicates aren't obvious. Same root cause, different sink. Same vector, different parameter. We maintain a per-program dedup index and update it on every closure.

  5. Hunter relationships matter.

    The same person who reported a P3 today might find a P1 next month — if they came back. We respond like humans, push back like humans, pay fairly, and acknowledge skill.

  6. Scope is enforced, not negotiated.

    Out-of-scope reports get a polite, specific 'no, here's why' the first time. The third time from the same hunter, they get a final explanation and a block. Programs that bend on scope rot fast.

  7. Suggested fix direction, not fix code.

    We're not your engineering team. We point at the root cause, suggest a direction, and link to the file or function we suspect. The fix is yours.

  8. Severity inflation is poison.

    Calling a P3 a P1 to make a hunter happy is fraud against your engineering team. Every triager fights this pressure; we fight it harder by writing severity justifications you can audit.

  9. We don't do platform politics.

    We don't take sides between you and your hunters. We don't run opinions on bounty amounts past the hunter before sending them. We document, defend, and revise when we're wrong.

  10. Boring is the goal.

    A program that runs well is uneventful. Reports come in, get sorted, get fixed, get closed. The day we make the news is the day something has gone very wrong.

Get started

Stop letting reports pile up.

Hunters lose interest. Engineers lose mornings. The next report is already in the inbox.