Handle HackerOne analyst responses and triager feedback - classify response type and execute the matching action.
Read the analyst message. Classify into exactly one:
| Type | Signal | Action |
|---|---|---|
| Needs More Info | "Can you provide...", "Could you clarify...", can't reproduce | Go to NMI procedure |
| Severity Downgrade | Severity changed, "We consider this..." | Go to Severity Appeal |
| Duplicate | "Duplicate of #XXXXX" | Go to Duplicate Handler |
| Informative | Closed as Informative | Go to Informative Handler |
| N/A | Closed as N/A, out of scope | Go to N/A Handler |
| Resolved | Fixed, bounty awarded or pending | Record in DB, update context.md |
Gate: If you cannot classify, re-read. Every response fits one type.
Hi @{analyst},
## Clarification: {their specific question}
{direct answer}
## Updated Reproduction Steps
Prerequisites:
- Account A (victim): {email}, ID: {id}
- Account B (attacker): {email}, ID: {id}
Steps:
1. {exact URL, not "go to settings"}
2. {exact curl command}
3. Observe: {what confirms the vuln}
## Ambiguous Response Clarification
{if any response looks like failure, explain why it confirms the vuln UPFRONT}
Attached: {screenshot/video/JSON}
Sub-routing:
| They asked about... | Do this |
|---|---|
| Can't reproduce | Add prerequisites, exact URLs, paste-ready curl commands |
| Token/credential source | Show full OAuth/auth flow with exact commands |
| Exploitability | Lead with successful outcome, show leaked/modified data |
| Ambiguous response | Explain why success: false (or similar) still confirms the vuln |
Gate: Response addresses every point? All evidence attached? Send.
Do not argue opinion. Provide evidence:
Hi @{analyst},
**Per {program}'s policy:** "{quoted section supporting higher severity}"
**CVSS 3.1:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = {score} ({rating})
**Comparable:** HackerOne #{id} - {similar vuln} rated {severity}
I understand you have the final call. Just ensuring full context.
Gate: CVSS calculated? Policy quoted? Comparable report cited? Send.
If legitimate duplicate: accept professionally, ask for feedback. If wrong:
Hi @{analyst},
Could you share the duplicate report number? My report covers:
- Endpoint: {exact URL}
- Vulnerability: {specific mechanism}
If it matches, I accept the duplicate status.
Gate: Duplicate ID obtained? Same surface confirmed? Accept or contest.
Gate: Is it policy or exploitability? If policy, stop. If exploitability, prove it or stop.
Gate: Is their reasoning correct? If yes, log in context.md as ruled out. If no, respond with evidence.