bugcrowd-reportinglisted

# BUGCROWD REPORTING — Program-Specific Tactics > Companion to the generic `report-writing` skill. Use when working specifically on Bugcrowd submissions where VRT mapping, OOS-clause rebuttals, or per-program target selection matter. This skill encodes patterns that apply specifically to Bugcrowd's submission flow. For the generic per-platform templates (HackerOne / Bugcrowd / Intigriti / Immunefi report bodies), use the `report-writing` skill. For the 7-Question Gate before deciding to report at all, use `triage-validation`. --- ## 1. VRT Category Selection — Search & Fallback Strategy Bugcrowd's submission form requires a single VRT (Vulnerability Rating Taxonomy) selection. The dropdown's default severity is bound to the chosen node — pick wrong and the form auto-suggests P4 when the actual impact is P3 or P2. ### 1.1 Search hierarchy (try in order, pick the highest-severity match that still describes the bug) For any finding, search the VRT dropdown with these terms in this order: 1. **The bug's primary class** — e.g., `IDOR`, `XSS`, `SSRF`, `auth bypass`, `2FA bypass` 2. **The data category exposed** — e.g., `PII`, `sensitive data exposure`, `disclosure of secrets` 3. **The control bypassed** — e.g., `broken access control`, `authentication bypass` 4. **The endpoint type** — e.g., `no rate limiting on form > login`, `no rate limiting on form > change password` 5. **The generic parent node** — e.g., `Server Security Misconfiguration > Other`, `Broken Access Contro