Services
What triage actually looks like.
We're the layer between your hunters and your engineers. Everything below is what we do, what we don't, and what you can add when you need it.
Workflow
From inbound to closeout, here's the end-to-end.
01
Inbound
Reports route to a Severity Labs address or a forwarder from your existing security@ inbox. We acknowledge within SLA, log every submission, and assign a tracking ID before anyone on your side sees it.
02
Triage
We deduplicate against history, confirm scope, and either reject with a clear reason or move forward with reproduction. Hunters get a real reply, not a templated brush-off.
03
Validation
We reproduce end-to-end, capture screenshots and request/response evidence, and write up impact based on what's actually exploitable. If we can't reproduce, we say so before escalating.
04
Scoring
CVSS 3.1 vector and base score, with a written justification. We also annotate business-context severity, because a 9.8 in a sandbox isn't the same as a 6.5 on a payment endpoint.
05
Handoff
A dev-ready issue lands in your tracker: title, asset, repro, impact, suggested fix direction, severity, and a link to evidence. Engineers can pick it up cold.
06
Closeout
We coordinate the retest with the hunter once the fix is deployed, confirm the fix holds, and close the report with a written disposition. Bounty payment recommendations included if you run a paid program.
Included
What's in every engagement.
- Acknowledgement and SLA tracking
- Deduplication against historical reports
- Scope and policy enforcement
- End-to-end reproduction with evidence
- CVSS 3.1 scoring and justification
- Business-context severity annotation
- Dev-ready report writing
- Tracker integration (Jira, Linear, GitHub, etc.)
- Hunter communication in your program's voice
- Retest verification once fix ships
- Weekly or monthly summary reporting
Not included
What we don't do.
Clear lines make the work better. If you need any of these, we'll point you at people who do them well.
Penetration testing
We don't run scoped engagements or red team your apps. We triage what hunters bring you.
Shipping the fix
We hand engineers a clear report and a suggested direction. Code changes stay with your team.
Source code review
We work from black-box repro unless you grant access. We don't audit codebases as a service.
Public PR or breach response
We're not your incident response or comms team. If a report indicates active exploitation, we escalate fast and stay in our lane.
What we triage
The bug classes we see, week in and week out.
Every report gets the same workflow regardless of class. The list below is here so you can see what we've reproduced often enough to triage on autopilot — not a scope limit.
Web application
- Stored, reflected, and DOM-based XSS
- SQL injection (in-band, blind, time-based)
- Server-side request forgery (SSRF) and metadata pivots
- Insecure direct object reference (IDOR) and BOLA
- Cross-site request forgery (CSRF) where it actually has impact
- Open redirect (with realistic exploitation chains)
- Server-side template injection (SSTI)
- XML external entity (XXE) and XML injection
- Prototype pollution and gadget chains
Authentication and authorization
- Account takeover via password reset, OAuth, or session fixation
- JWT misconfiguration, alg=none, key confusion
- MFA bypasses and recovery-flow weaknesses
- Privilege escalation between roles, tenants, or scopes
- Race conditions in auth-adjacent flows
API and infrastructure
- Broken object-property authorization in REST and GraphQL
- Mass assignment and excessive-data-exposure findings
- Rate-limit bypasses with downstream impact
- Misconfigured CORS, cookies, or CSP
- Cloud metadata exposure, leaked credentials, public buckets
- Subdomain takeover (CNAME, NS, S3, Heroku, Azure)
Out of (typical) scope
- Self-XSS without exploitation path
- Missing security headers without demonstrated impact
- Public information disclosure that isn't sensitive
- Brute-force / rate-limiting reports without account impact
- Best-practice scans (`securityheaders.com`, SSL Labs) submitted as findings
Add-ons
Optional work, when the program needs more.
Program design
Scope, policy, reward structure, and disclosure timeline — written so hunters understand what's in bounds before they start.
Hunter relations
Direct, ongoing relationships with researchers who consistently bring quality. Invite-only or private-program management included.
Retest verification
Independent confirmation that a deployed fix actually closes the issue, with the original hunter looped in when appropriate.
Quarterly reviews
Submission trends, hunter quality, asset hotspots, SLA performance. Delivered as a written brief and a 60-minute walkthrough.
Get started
Stop letting reports pile up.
Hunters lose interest. Engineers lose mornings. The next report is already in the inbox.