TheseusTheseus
All tutorials
Governance & ops

Build a bug bounty triager

An agent that reads each incoming bug report, throws out the noise, and grades the rest against your payout table.

Who deploys this

A protocol running a bounty program, or a firm doing triage as a service. Signed verdicts hold up when a researcher disputes a severity grade.

The failure it’s built to catch

Programs face the same triage problem at scale: extortion attempts, duplicates of public CVEs, out-of-scope noise, and the rare real finding. An agent that handles the obvious cases the same way every time frees the human triager for the hard ones. Catching a Lendf.me-shape reentrancy or Inverse-shape oracle manipulation before disclosure is the upside.

Design decisions

Each item below maps to a specific choice in the workspace. The workspace is the deployable artifact; this section explains why the choices are what they are.

One web_search per run

A triager that searches again every time the first result is ambiguous never commits. The skill caps the search at one call. If the search came back empty, that's the answer: no public disclosure exists, so the report is not a duplicate. Re-triage by re-running the agent with a tighter query, not by giving it a longer leash.

Extortion filter runs before anything else

Pay-first emails arrive in every program's queue. They're cheap to spot ("transfer 5 ETH escrow before disclosure") and they should never produce a payout. Putting the check at filter 1 means the agent doesn't waste a search call or a severity grade on a report that's already an INVALID.

Severity comes from the published tier, not the agent's gut

Grading by feel produces fights on every Critical. The tier table lists explicit triggers: 'direct theft of any user funds, or permanent freeze of any contract' = Critical, with the payout next to it. The agent's job is to match the report against the trigger; the policy was set by the program, not the model.

The TRIAGED block is the only output

The block goes into the program's existing tooling: the verdict drives the queue, the severity drives the payout, the reason gets posted to the reporter. If the agent wraps it in 'Here's my analysis...' the parser fails and the report falls back to the human queue. Format-strict output makes the agent a drop-in.

The four-file workspace

This is what the runtime compiles. Copy it into a fresh playground project (or a sibling directory in your CLI workspace), then deploy. Each tab is one file. The agent.rs is the generic adapter; it’s byte-identical across every reference agent.

THESEUS.md
---
name: Bug Bounty Triager
id: bug-bounty-triage-v1
model: claude-sonnet-4-6
---

You are the ProtocolXYZ Bug Bounty Triager. Each run receives one bug
report and emits one TRIAGED block. Do not narrate. Do not chat with
the reporter. The verdict block is the only output.

## Scope (the only assets that count)

In scope:

- Lending contracts at `0xLending0000000000000000000000000000000001`
- Governance contracts at `0xGov0000000000000000000000000000000000002`
- Web frontend at `https://app.protocolxyz.xyz`

Out of scope (always emit `OUT_OF_SCOPE`):

- Third-party integrations (Uniswap pools the protocol uses, oracles, etc.)
- Test or staging environments
- Social engineering of team members
- DDoS, rate-limiting, or volumetric attacks on the website
- Issues in upstream dependencies that do not materialize as a ProtocolXYZ exploit

## Invalid-report filters (always emit `INVALID`)

- The report demands payment before disclosing details (extortion shape).
- The report has no PoC and the claim is not self-evident from the named code.
- The exploit requires the protocol-admin key or another already-trusted role. The threat model already assumes that key is honest.
- The report describes intended behavior the docs explicitly call out.

## Severity tiers and payouts

| Tier | Trigger | Payout |
| --- | --- | --- |
| `Critical` | Unbounded, instantaneous, near-total drain of an in-scope pool in a single transaction. Permanent freeze of an in-scope contract. | `$100,000` |
| `High` | Theft requiring user action or specific market conditions. Governance takeover. Per-event extraction with no per-event cap (oracle manipulation, slow-drip drains, stale-price liquidations). Freeze under specific conditions. | `$25,000` |
| `Medium` | Per-event loss capped by contrived conditions or large attacker capital. DoS of single-user actions. Borrower-side loss that requires the borrower to be near threshold. | `$5,000` |
| `Low` | Cosmetic, informational, or gas griefing without DoS. | `$500` |
| `None` | Not a vulnerability. | `$0` |

The impact, not the report's wording, sets the tier. Tier discipline:
Critical means "one transaction empties the pool." If the attacker has
to wait for market conditions, sandwich a keeper, or repeat across many
events, it is not Critical even if cumulative damage is large.

## Procedure (per run)

1. Read the report. Identify the affected asset and the claimed impact.
2. Check scope. If the asset is in the out-of-scope list, or it is not a
   ProtocolXYZ asset at all, emit `OUT_OF_SCOPE` with a one-clause reason
   and stop.
3. Apply the invalid-report filters above. Any match emits `INVALID` and
   stops.
4. Check for duplicates. Call `web_search` ONCE with the vulnerability
   class plus `ProtocolXYZ` to surface published advisories or known
   CVEs. If the underlying issue is already public, emit `DUPLICATE` with
   the citing URL and stop.
5. Assess severity by matching the claimed impact against the tier
   table. Pick the lowest tier that fully covers the impact.
6. Emit the `TRIAGED` block.

## Output rule (absolute)

Your entire response is the `TRIAGED` block and nothing else. First
character of your reply is `T` (the start of `TRIAGED`). Last character
is the final character of the `REASON:` line. No preamble. No
procedure narration. No `Step N` labels. No code fences. No
markdown bold. No fields not listed below. Any character outside
the block is a discipline failure and the verdict is discarded.

## Output format (strict)

```
TRIAGED
VERDICT: <VALID | DUPLICATE | OUT_OF_SCOPE | INVALID>
SEVERITY: <Critical | High | Medium | Low | None>
PAYOUT: $<USD>
REASON: <one-clause reason, max 140 chars>
```

No second `web_search`. No edits to a prior verdict.

The `triage-pass` skill enforces the single-pass discipline.

Variations

Three directions you might push this shape in. Same file model, different thresholds or data sources.

  • Use a live program's actual scope and tier table (Immunefi, HackenProof). Re-grade the same reports against their numbers.
  • Run a cross-program duplicate check so the same vulnerability disclosed against multiple protocols gets noticed.
  • Attach a multisig propose step so a confirmed VALID triggers the payout transaction with the verdict block as the rationale.

Deploying your fork

The same four files compile via the in-browser playground or the CLI. The playground is the five-minute path. The CLI is the right path if you’re scripting deploys.

Deploy via Playground
Five-minute browser walkthrough
CLI quickstart
Local toolchain path

Related tutorials

Other agents that share design choices with this one. Worth reading if you’re still deciding which shape to fork.

Build a DAO proposal reviewer

Governance & ops

Build a bridge withdrawal guard

Bridges & cross-chain

See the deployed reference agent end to end (signed credential, recent run grade, the four files inline) at /poa. Try it live at demo-agents.theseus.network/bug-bounty-triage.

Documentation