Reviewing Reports
When a security researcher discovers a vulnerability in your application through the bug bounty program, they submit a report through Catchify. The Catchify triage team reviews every report first, and only validated submissions reach your queue for review. This page explains how to review and manage those reports.
How Reports Reach You
Before a report appears in your portal, it goes through Catchify's triage process:
Researcher submits a report -- A researcher identifies a vulnerability and submits detailed documentation
Catchify triage review -- Our security team validates the report, confirming it is legitimate, in scope, and not a duplicate
Report appears in your portal -- Only confirmed, valid reports are forwarded to you for review
You review and respond -- You review the finding and approve or provide feedback
The Catchify triage team filters out duplicates, false positives, and out-of-scope reports so you only spend time on issues that matter.
Viewing Your Reports
Navigate to Bug Bounty and then Reports to see all submissions for your programs. Each report shows:
Title -- A summary of the vulnerability
Severity -- The assessed severity level
Status -- Where the report is in the review process
Researcher -- The username of the researcher who submitted it (researchers remain anonymous by default)
Submitted date -- When the report was received
Report Statuses
Each report moves through the following stages:
New
The report has been submitted and is awaiting initial triage
Triaged
The Catchify team has validated the report and it is ready for your review
Confirmed
You have confirmed that the vulnerability is valid and will be addressed
Approved
The report has been approved for reward payment
Rejected
The report was determined to not be a valid finding (with explanation)
Duplicate
The same vulnerability was already reported by another researcher
Resolved
The vulnerability has been fixed and verified
The typical flow for a valid report is: New --> Triaged --> Confirmed --> Approved --> Resolved
Reviewing a Report
When you open a report, you will see the full details submitted by the researcher:
Vulnerability description -- What the issue is and how it was found
Impact assessment -- What an attacker could do by exploiting this vulnerability
Steps to reproduce -- How to demonstrate the vulnerability
Evidence -- Screenshots, recordings, or other proof
Suggested severity -- The researcher's proposed severity (the Catchify team may adjust this during triage)
Taking Action on a Report
After reviewing a report, you can:
Confirm the Finding
If you agree the vulnerability is valid, change the status to Confirmed. This signals to the Catchify team that you acknowledge the issue and will work on a fix.
Add Comments
Add comments to communicate with the Catchify team about the report. For example:
Ask for clarification about the reproduction steps
Provide context about why a finding may be less severe in your environment
Share an estimated timeline for a fix
Approve for Reward
When you are satisfied that the report is valid and complete, change the status to Approved. The Catchify team will process the researcher's reward from your bug bounty wallet.
Reject
If you believe the report is not valid or not applicable, you can reject it. Provide a clear explanation so the Catchify team can communicate the reasoning to the researcher.
Prompt responses to reports maintain researcher motivation and program reputation. We recommend reviewing new reports within 48 hours of them being triaged.
After Approval
Once a report is approved:
The researcher receives their reward through the Catchify wallet system
The finding is added to your project's finding list
You can track the fix and request a retest, just like any other finding
The report status changes to Resolved once the fix is verified
Consistent, timely reviews encourage researchers to continue testing your applications. A well-managed bug bounty program attracts the best talent.
Last updated