When a hacker reports a vulnerability that has already been reported, it's considered a duplicate report. Marking a report as a duplicate enables you to choose from taking 2 options:
Add the second hacker as an external participant on the original report. This means the second hacker will be able to view the contents of the original report. This applies for any subsequent hackers (3rd, 4th, etc.) that submit the same duplicate report and you add them to the original report.
Don't add the hacker as an external participant on the original report. Instead, you can let the hacker know that their submitted vulnerability is a duplicate, and you can list the original report number in the comments sections.
Adding a Hacker to the Original Report
To add the hacker to the original report:
- Go to the bottom of the report above the comment box.
- Change the action picker to Close report > Duplicate.
- Enter the original report number in the Search report field and select the report from the selection list.
- A check box stating Add hacker name to the original report will show under the Search report field.
- Select the check box to add the hacker to the report.
It's up to your program to determine if you are comfortable with sharing the original report with the hacker that submitted the duplicate report. It's recommended to tie the second report to the original report to provide accountability and to account for Reputation gain or loss for the hacker.