What / Who is Praetorian ?
As a collective of highly technical engineers and developers offering deep security expertise, Praetorian solves the toughest challenges faced by today’s leading organizations across an ever-evolving digital threat landscape. Their solutions enable clients to find, fix, stop, and ultimately solve cybersecurity problems across their entire enterprise and product portfolios. As trusted advisors, Praetorian helps organizations minimize overall information security risk across digital assets so they can focus on what's important—their core business. These are some of their key areas of operation ...
In a simpler form : Praetorian will find vulnerabilities in your companies cyber security front.
I worked with Praetorian as a remote UX Designer and helped them improved two key areas of their product. First the Administration portal for all the ongoing projects and second the project to track all the submissions sent in by the researchers for a project.
Praetorian had an initial product up and running but they did not have a designer involved in this project. they had bought a theme from one of the sites and used it to get the UI off the ground. They needed someone who could improve the experience based on the tasks they do often and to create better interfaces for the admin and expert parts of the product.
I started the process of redesign by doing a quick heuristic analysis based on the tasks Praetorian provided me and started creating user stories for the different tasks and parts of the product that involved those tasks. this is more of a UI redesign project than a full UX project and I have focussed more on creating value with the improvements based on jobs to be done framework.
Project 01 : Interface to submit and manage you Bug Bounty submissions
Praetorian has a team of skilled cyber security experts who work on several projects as they come in. They have to keep abreast of all the new projects coming in and evaluate their products from multiple perspectives.
Once the experts join a project they submit multiple vulnerabilities as a report. these reports have to be precise and reproducible so that the client companies can verify if it exists or not. An expert can submit several bug reports for the same company. Once a bug report is submitted there can be a wait time ranging from a couple of days to several weeks. The companies often ask for additional details or artifacts to clarify the exact nature of the security vulnerability and the system has to facilitate this communication and subsequent uploads of different artifacts through the engagement.
Design : Programs List
On Programs List page, the experts can go through all the active bug bounty programs and choose which ones they want to enter. There can hundreds of them running at the same time so the ability of filtering them down is important. This is displayed in the form of a table and provides the most important details experts need to decide whether this is something they want to participate in.
Another key factor was the participation level in the projects as people tend to jump into or shy away from a project based on this metric. I devised a inline graph as an indicator of bugs submitted in this project along with yellow dots signifying bounty pay-offs to encourage more users to join in and submit more bugs.
Design : Bug submission form
After arduous testing a cyber security expert might find a vulnerability in the clients product. They have to communicate this vulnerability to the client in a manner that they can understand it and test whether this actually exists in their system.
To do this the experts need to provide very specific information about the nature of the security flaw. categorizing it in a relevant area which is standardized by governing bodies. They also need to give step by step plan so that the engineers or testers at the client company can reproduce that error. If they are unable to do that the experts don't get paid the prize money and all of their hard work can go to waste. So creating a system that enables them and guides them through all the steps is important.
When I talked to some of the experts who work at Praetorian , as well as some users of other bug bounty programs out there one of the biggest gripes was the non-transparent nature of the platforms in regards to what bugs have already been posted. They end up spending a lot of time finding bugs and then writing lengthy reports only to be get a reply saying this bug was already filed in the system.
I have tried to avoid this by having a check after the expert declares the category of the bug and writes a short description. If there is significant overlap in the current bug being submitted and older submissions, we throw up an alert and the users can compare their reports with older ones based on a excerpt in a new window upon clicking the "browse similar bugs" button.
Based on what they find they can still continue posting their bug as a new case or withdraw their submission and still get some points for their profile.
I have attached the screenshots of the alert and comparison screens below.
Design : My Bug Submissions
The experts job is not over once they submit a detailed report. The client will review the information they have submitted and more often than not they reach out to the experts and ask for some kind of clarification or additional information. For example additional they may request screenshots or OS/Browser version etc. So I made the my submissions page like an email client where the experts and companies can continue their threaded communication and can easily figure out resolutions to roadblocks.
This interface also acts as a place to receive updates on how their submission is progressing through the Praetorian system and get alerts and updates as different actions are taken on their bugs.
Design : Leaderboard
One of the key motivators for people is to see other people succeeding at what they're doing. Having a leader board instills a sense of competition and rivalry between the best experts and gives the rest of the experts a goal to achieve. Also we combined the leaderboard with an activity section where we highlighted all the achievements with badges and stickers to add another level of recognition into the system.
I also recommended having annual and quarterly gifts for the top three positions so that the leaderboard actually means something instead of just a vanity metric.
Project 2: Administration hub for Diana Managers
As you've seen above many simultaneous projects are usually underway at Praetorian. Most of the time the communication happens between the experts and the companies. Still the managers or admins from Praetorian have to keep track of all the activities that are happening across the board and also at a client level. Sometimes the same client has multiple projects running.
When a company comes to Praetorian there is a lot of information exchanged to create a bug bounty campaign. The admin has to create that campaign and add client users as well as invite in-house experts to kick off the bounty hunting. They needed an improved and easy to use method for creation and editing the information and users in these campaigns.
The admins also needed a dedicated dashboard where they can keep a track of the activities in each bug bounty campaign and if necessary try to course correct and remedy any problems.
Design : Bug Bounty Program Creation
The current creation system wasn't really too bad, but upon closer inspection I found several areas where we could improve the experience. For example the step -by - step progress indicator was not a standard pattern and was confusing to most people. So I replaced it with a more traditional and less confusing wizard flow.
The most important part of the flow was the page where key project information is entered like the project type, the different phases in the project and the different ASVS components involved. Some of it needed information recorded in very specific formats. It recquired pre-formatted text fields and drop downs with additional information and data. Implementing these changes was helpful in making the right decisions and reducing the to and forth behaviour when creating the project for a client.
Design : Program List and Program Detail Hub
The Projects list page shows the brief overview of all the projects in one place and shows the number of bugs that've been reported till now. The administrator has to keep and eye out for underperforming cases and invite more experts if the project is not seeing enough traction. The combination of time left in the program shown by the progress bar for each project and the number and category of the bugs reported together provided really valuable information to the admin. however in the older design it was very difficult to co relate these as they were not laid out near each other and in the same axis. The colored background also makes it really easy to determine how many bugs in each category have been reported.
Upon clicking on a bug bounty program in this list you reach the details page for it. This page has all the important information that an admin needs from the project ranging from the bugs reported, the graphs which show the flow of reports over time, the people involved in the bug bounty, detailed list of bugs submitted and the state of all the ASVS components n this project.
However in the old design all of this was put in one long page that was very difficult to scan through and fin the exact details you were looking for. I divided the page in to tabs so that the information is properly segmented and people can jump directly to the section they are interested in. The admins were really happy when they say the screens for the first time as it help them zero in to the right info almost immediately.
I also changed the order of the different information shown in the older page by placing most used elements first and rest of them later as tabs.