Whitepaper
AI-Powered Vulnerability Report Triage for Small and Medium Businesses: Reducing Noise, Saving Time, Protecting Privacy.
Executive summary
Why the vulnerability disclosure process is broken for SMBs, and how AI triage fixes it.
Vulnerability Disclosure Programmes (VDPs) and bug bounty initiatives are essential for any organisation that takes security seriously. They invite external researchers to report weaknesses before attackers can exploit them. But for small and medium businesses, the operational burden of receiving, reading, classifying, and responding to these reports can be overwhelming - and it's getting worse.
The rise of AI-generated vulnerability reports has fundamentally changed the economics of disclosure programmes. Tools like ChatGPT, Claude, and open-source LLMs have made it trivial to generate convincing-looking security reports at scale. Many of these submissions describe theoretical vulnerabilities, inflate severity ratings to attract attention, or simply repackage generic scanner output with polished language. The result is a flood of reports that look legitimate but contain little actionable substance - and every one of them still needs to be read and assessed by a human.
Industry data shows that over 50% of incoming vulnerability submissions are now noise - spam, out-of-scope reports, duplicates, severity-inflated findings, and AI-generated low-effort filings. A security analyst typically spends 20-30 minutes per report on initial assessment alone. For an organisation receiving 80 reports per week, that's over 33 hours of manual triage - nearly a full-time employee dedicated to sorting through noise to find the signal.
Bugtri solves this by automating the triage layer. It connects to your shared mailbox, sanitises sensitive data from each report before it reaches any AI, analyses the clean text using your own AI API key, scores and classifies it, and delivers a structured triage summary back to your inbox - complete with a decision, risk score, confidence rating, and the original report appended below.
The problem
Why vulnerability disclosure is uniquely painful for smaller teams.
Large enterprises typically have dedicated security operations centres, custom-built triage tooling, and full-time staff to manage their bug bounty programmes. Small and medium businesses have none of this. They often operate a shared mailbox like security@company.com or bugbounty@company.com, monitored by a small team (or a single person) alongside their other responsibilities.
The AI-generated report problem
Since the widespread availability of large language models in 2023-2024, security teams across the industry have reported a sharp increase in AI-generated vulnerability submissions. These reports are often well-structured, use correct terminology, and reference real CVE identifiers - making them difficult to distinguish from genuine findings at first glance.
However, many of these submissions share common patterns: inflated severity ratings (claiming "Critical" for minor misconfigurations), theoretical attack scenarios that don't apply to the target environment, recycled scanner output wrapped in convincing prose, and copy-paste templates submitted to dozens of organisations simultaneously. Some researchers use AI to generate high volumes of speculative reports across multiple programmes, hoping a percentage will land payouts - regardless of actual exploitability.
For a small InfoSec team already stretched thin, this creates a particularly damaging dynamic: the volume of incoming reports increases, but the proportion of genuinely valuable findings decreases. Every AI-generated report with an inflated "Critical" severity rating still demands careful human attention to confirm it's not a real threat - consuming the same 20-30 minutes of analyst time as a legitimate finding.
"In 2024, 62% of organisations reported that the volume of low-quality vulnerability submissions had increased year-over-year, driven largely by AI-generated reports."
- Bugcrowd Inside the Mind of a Hacker Report, 2024The severity inflation problem
Alongside AI-generated content, severity inflation has become a persistent challenge. Researchers - whether human or AI-assisted - routinely overstate the impact of their findings to increase the likelihood of a payout or a faster response. A missing HTTP header becomes "Critical", an informational disclosure becomes "High", and a self-XSS becomes a "Remote Code Execution risk".
Without automated scoring that evaluates actual exploitability, evidence quality, and scope independently of the researcher's self-assessment, small teams have no reliable way to prioritise. The result is that genuinely critical findings sit in the same queue as inflated noise - and response times suffer across the board.
The compounding effect on small teams
- Volume vs. capacity: Even modest VDP programmes can generate 20-100+ submissions per week. With AI-generated submissions, this number is increasing quarter-over-quarter, while team headcount stays the same.
- Signal buried in noise: When 60-70% of your inbox is AI-generated or severity-inflated, genuine critical vulnerabilities are easily overlooked or delayed - increasing the window of exposure.
- Analyst fatigue: Reading the same recycled "missing security headers" report for the twentieth time in a week leads to triage fatigue, where even experienced analysts start skimming and potentially miss real threats.
- Researcher experience: Slow or absent responses lead to frustrated legitimate researchers who may disclose publicly or stop reporting to your programme altogether.
- Privacy risk: Overwhelmed analysts who forward reports to AI tools like ChatGPT for help are inadvertently exposing internal infrastructure details - URLs, IPs, email addresses, and domains - to third-party services.
- No standardisation: Without consistent scoring independent of researcher claims, triage decisions vary by analyst, time of day, and workload - leading to inconsistent risk assessment and unpredictable response times.
The solution
How Bugtri automates the triage layer without exposing your data.
Bugtri sits between your mailbox and your security team. It intercepts incoming vulnerability reports, processes them through a privacy-preserving AI triage pipeline, and delivers actionable summaries - all without requiring any code changes, agent installations, or infrastructure setup.
The six-step pipeline
Report arrives
Researcher emails your shared mailbox
Bugtri intercepts
OAuth connection reads a copy (original untouched)
Data sanitised
URLs, IPs, emails, domains replaced with tokens
AI analyses
Clean text sent to your AI provider via your key
Tokens restored
Real values placed back into the triage summary
Triage delivered
Decision, score, summary + original in your inbox
Privacy-first by design
The critical differentiator is the sanitisation layer. Before any report text reaches an AI provider, Bugtri automatically strips sensitive data and replaces it with safe placeholder tokens (e.g. __URL_1__, __IP_2__, __EMAIL_1__). This means your real infrastructure details - internal URLs, server IPs, employee email addresses, and domain names - never reach the AI provider.
After the AI returns its analysis, Bugtri restores the original values in the final triage email. Your team sees the full picture. The AI never does. You also control exactly which data categories are sanitised and can add custom regex patterns for organisation-specific information.
Bring Your Own Key (BYOK)
Bugtri uses your own API key from your chosen AI provider - OpenAI, Anthropic (Claude), Google Gemini, or other compatible services. This means your data is processed under your terms with that provider, not ours. Your vulnerability reports are never used to train AI models, and Bugtri never sends data using our own keys.
Scoring & triage decisions
Consistent, configurable, and transparent classification of every report.
Every incoming report is scored on a 0-10 scale based on factors including vulnerability type, severity, exploitability, authentication requirements, evidence quality, and scope. The AI also produces a confidence rating indicating how certain it is in its assessment.
| Decision | Description | Typical action |
|---|---|---|
| Auto-Decline | Spam, duplicates, out-of-scope, low-quality | Automatic decline response (optional) |
| Queue | Standard reports requiring human review | Team reviews at normal priority |
| Fast-Track | High-value reports with strong evidence | Accelerated review and response |
| Urgent | Critical findings requiring immediate action | Immediate escalation to senior staff |
All scoring weights, decision thresholds, and multipliers are fully configurable. Choose from built-in presets (Lenient, Default, Strict) or create a custom configuration that matches your organisation's risk appetite. A safety net ensures that if the AI's confidence falls below a configurable threshold (default 40%), auto-decline decisions are automatically overridden to Queue - guaranteeing human review of uncertain assessments.
Return on investment
Measurable time and cost savings from automated triage.
The ROI of automated triage is straightforward to calculate. Based on industry benchmarks from Ponemon Institute, HackerOne, and Bugcrowd:
| Metric | Manual triage | Bugtri triage |
|---|---|---|
| Time per report | 25 minutes | ~5 minutes |
| Auto-decline rate | 0% (all read manually) | ~50% (industry average noise rate) |
| 80 reports/week - analyst hours | 33.3 hours/week | ~8.3 hours/week |
| Annual time saved | - | ~1,300 hours |
| Cost saved (UK avg. £41.60/hr) | - | ~£54,000/year |
| FTE equivalent saved | - | ~0.6 FTE |
At a starting price of £9/month, the return on investment is immediate for any team receiving more than a handful of vulnerability reports per week. The Premium plan (£29/month) adds auto-responses, custom scoring, and extended retention - paying for itself many times over in analyst time saved.
"The average cost of triaging a single vulnerability report manually is approximately £17. Automating the initial assessment and classification layer reduces this to under £3 per report."
- Bugtri internal analysis based on Ponemon Institute data, 2024Bugtri vs. manual triage
A side-by-side comparison of the traditional approach versus automated AI triage.
| Capability | Manual process | Bugtri |
|---|---|---|
| Setup time | Weeks (tooling, training) | Under 2 minutes |
| Privacy protection | Data manually handled | Auto-sanitised before AI |
| Consistent scoring | Varies by analyst | Configurable, reproducible |
| 24/7 availability | Business hours only | Always-on monitoring |
| Auto-responses | Manual emails | Per-decision templates |
| Audit trail | Inconsistent | Full dashboard + analytics |
| Data retention control | Ad hoc | Configurable + auto-purge |
| Infrastructure required | Internal tooling | None (SaaS) |
Conclusion
Vulnerability disclosure programmes are a critical component of any organisation's security posture, but the operational cost of managing them manually is disproportionate for small and medium businesses. The majority of incoming submissions are noise, and the minority that matter most are easily lost in the volume.
Bugtri addresses this by inserting an intelligent, privacy-preserving triage layer between your mailbox and your security team. It automates the assessment, scoring, and classification of every report - while ensuring your sensitive infrastructure data never reaches third-party AI providers.
With setup in under 2 minutes, no infrastructure to manage, and a pricing model that pays for itself from the first week, Bugtri enables SMBs to run vulnerability disclosure programmes with the efficiency of a dedicated security operations centre - without needing one.