Understanding the Psychology of Bug Bounty Triage Teams — Why Some Bugs Get Marked as Duplicates…

A common frustration for ethical hackers participating in bug bounty programs is submitting a report on what appears to be a critical vulnerability, only for it to be dismissed as a duplicate or informative finding, thus denying the researcher a reward or recognition for their work.
This article seeks to explain the psychology of bug bounty triage teams and provides advice on how to avoid common pitfalls and maximise the chances of your findings being rewarded.
Triage teams are tasked with filtering a high volume of bug reports daily and must ensure no duplicate payouts are made, only high-impact vulnerabilities are prioritised, and false positives are minimised.
The author explains that as triagers are not actively engaged in vulnerability hunting themselves, their minds are not conditioned to reach the same conclusions and may not perceive certain issues as critical even if they indeed are.
Hence, report submitters should include as much relevant information as possible, such as exploitation steps, risk impact, and reproduction videos, to improve the likelihood of their findings being recognised as valid.

Fast Feed