Bugtri
Register

Mailbox Connection Approval

Everything your IT team and management need to approve connecting a shared mailbox to Bugtri.

Trust Centre Security Policy
BUGTRI - MAILBOX CONNECTION: BUSINESS CASE & TECHNICAL REQUIREMENTS
About this document: This page is split into two sections. The Business Case provides the justification for connecting a shared mailbox to Bugtri. The Technical Requirements & Setup section provides permissions, admin pre-configuration, and step-by-step setup instructions for your IT team.

Business Case

What is Bugtri?

Bugtri is an AI-powered triage platform that automates the initial assessment of incoming vulnerability disclosure and bug bounty reports. It connects to a single shared mailbox (e.g. security@company.com) and processes incoming researcher reports through a privacy-preserving AI pipeline, delivering scored triage summaries back to the same mailbox.

Business Benefits

  • Reduce manual triage time by up to 80% - AI scores and classifies each report automatically, so your security team only reviews what matters
  • Respond to researchers faster - auto-responses acknowledge receipt immediately, improving your vulnerability disclosure programme's reputation
  • Protect sensitive data - all URLs, IPs, email addresses, and domains are automatically stripped from reports before they reach any AI provider
  • Maintain consistency - every report is scored against the same configurable criteria, eliminating analyst-by-analyst variation and subjective triage
  • Filter AI-generated noise - identify and auto-decline low-quality, severity-inflated, and mass-submitted reports that waste analyst time
  • Configurable and auditable - all scoring weights, thresholds, and auto-response templates are configurable per mailbox with a full audit trail

Data Handling & Privacy

Data Sanitisation

Before any email content reaches an AI provider, sensitive data (URLs, IPs, email addresses, domains) is replaced with safe placeholder tokens. Your infrastructure details never leave Bugtri's servers.

Bring Your Own AI Key

Bugtri uses your organisation's own AI API key (OpenAI, Anthropic, or Google Gemini). Data is processed under your terms with the provider. Reports are never used for model training.

Encryption

OAuth tokens encrypted at rest with AES-256-GCM. All data in transit uses TLS 1.2+. Passwords hashed with bcrypt. No plaintext credentials stored.

Data Retention

Configurable retention (7-365 days). Auto-purge available. Manual purge on demand. Option to exclude vulnerability details from stored data entirely.

Compliance

Bugtri is designed to meet: UK GDPR, EU GDPR, CCPA/CPRA, and the Australian Privacy Act 1988. Payment processing via Stripe (PCI DSS Level 1).

Access Scope

Bugtri only accesses the single mailbox that is explicitly authorised. It cannot access any other mailboxes, user accounts, contacts, calendar, files, OneDrive, Google Drive, or admin settings in your organisation. It does not send emails from your account or delete existing emails. Note: Google's consent screen describes the gmail.modify scope as allowing sending - this is a limitation of Google's scope model. Bugtri only uses this permission to apply organisational labels to processed emails.

Technical Requirements & Setup

Connection Method

Bugtri connects via OAuth 2.0 (industry-standard authorisation). No passwords are shared. The authorising user signs in to their email provider (Google or Microsoft) and grants Bugtri specific, limited permissions on a single mailbox only.

OAuth Permissions

The following permissions are requested via the provider's standard OAuth consent screen. They apply only to the specific mailbox account used to authenticate - Bugtri has no access to other mailboxes or accounts in the tenant.

Google Workspace (Gmail)

OAuth ScopePurposeAccess Level
gmail.readonlyRead incoming vulnerability reports from this mailboxRead only - single mailbox
gmail.modifyApply Gmail labels (e.g. Bugtri/Processed, Bugtri/Urgent) to organise processed emails. Google's consent screen describes this scope broadly as "read, compose and send" - Bugtri only uses it for labelling.Labels only - Bugtri never sends or deletes
openid, emailIdentify which mailbox account was connectedProfile only

Microsoft 365 (Outlook)

OAuth ScopePurposeAccess Level
Mail.ReadRead incoming vulnerability reports from this mailboxRead only - single mailbox
Mail.ReadWriteMove processed emails to a "Bugtri-Processed" folder within this mailboxMove only - no send/delete
openid, email, profileIdentify which mailbox account was connectedProfile only
offline_accessMaintain the OAuth connection without requiring the user to re-authenticateToken refresh only

IT Admin Pre-Configuration: Google Workspace

The following steps should be completed by a Google Workspace Super Admin before the end user initiates the connection from Bugtri. These can be included in your ITSM change ticket as implementation tasks.

Google Workspace Admin Tasks

  1. Sign in to Google Admin Console (admin.google.com) as a Super Admin.
  2. Navigate to Security > Access and data control > API Controls.
  3. Under App access control, click Manage Third-Party App Access.
  4. Click Add app > OAuth App Name or Client ID.
  5. Search for Bugtri or enter the OAuth Client ID provided by Bugtri (available on request from support).
  6. Set the access level to Trusted. Optionally restrict to the specific organisational unit (OU) that contains the shared mailbox account.
  7. Click Configure and confirm.
Note: If your Workspace policy is set to "Allow users to access any third-party apps", these steps may not be required. The user will see Google's standard OAuth consent screen and can approve directly.

IT Admin Pre-Configuration: Microsoft 365

The following steps should be completed by a Global Administrator or Application Administrator in Azure AD / Microsoft Entra ID before the end user initiates the connection.

Microsoft 365 / Entra ID Admin Tasks

  1. Sign in to the Azure Portal (portal.azure.com) as a Global Administrator.
  2. Navigate to Microsoft Entra ID > Enterprise Applications.
  3. Check Consent and permissions > User consent settings. If set to "Do not allow user consent", admin consent is required before the user can authorise Bugtri.
  4. Option A - Grant admin consent in advance:
    • Go to Enterprise Applications > All Applications.
    • If Bugtri does not appear, the user will need to initiate the connection first (Step 2.5 below), then return here.
    • Once Bugtri appears, click it > Permissions > Grant admin consent for [Your Tenant].
    • Review the requested permissions and click Accept.
  5. Option B - Allow user consent for verified publishers:
    • Go to Consent and permissions > User consent settings.
    • Select "Allow user consent for apps from verified publishers, for selected permissions".
    • Ensure the permission classifications include: Mail.Read, Mail.ReadWrite, openid, email, profile, offline_access.
  6. Optional - Restrict to specific users: Under the Bugtri enterprise application, go to Users and groups and assign only the shared mailbox account or specific users who should be able to connect mailboxes.
  7. Optional - Conditional Access: If your organisation uses Conditional Access policies, ensure they do not block OAuth token grants to third-party applications from the network/device the user will connect from.
Note: If your tenant allows user consent for all apps or verified publishers, the user will see Microsoft's standard consent prompt and can approve directly without admin pre-configuration.

End User Connection Steps

After IT admin pre-configuration (if required), the end user performs the following steps from their browser:

User Steps (both providers)

  1. Log in to Bugtri at bugtri.com/login.
  2. Navigate to Mailboxes from the sidebar.
  3. Click Connect Gmail or Connect Microsoft 365.
  4. Review the information in the connection guide modal and click Continue.
  5. Sign in to the shared mailbox account (e.g. security@company.com) when prompted by Google/Microsoft.
  6. Review the permissions on the consent screen and click Allow (Google) or Accept (Microsoft).
  7. You will be redirected back to Bugtri. The mailbox will show as "Connected" with a green indicator.
  8. Bugtri will begin monitoring the mailbox within 5 minutes. The first sync time will appear on the mailbox card.

Network & Firewall Requirements

Network Configuration

RequirementDetail
Inbound firewall rulesNone required. Bugtri is fully cloud-hosted.
Outbound accessBugtri servers connect outbound to Google/Microsoft APIs over HTTPS (port 443).
VPN / site-to-siteNot required. No on-premise components.
Agents / softwareNone. No software installed on any endpoint or server.
IP allowlistingIf your provider requires allowlisting for API access, contact Bugtri support for current egress IP ranges.
DNS changesNone required for mailbox connection. Optional: add Bugtri to SPF/DKIM if receiving triage emails from triage@bugtri.com.

Revoking Access

Access can be revoked immediately by any of these methods:

MethodStepsEffect
From BugtriMailboxes page > click Remove on the mailbox cardMailbox disconnected. OAuth token deleted from Bugtri.
From Google AdminAdmin Console > Security > API Controls > Manage Third-Party App Access > Remove BugtriOAuth token revoked. Bugtri loses access immediately.
From Azure / Entra IDEnterprise Applications > Bugtri > Properties > DeleteAll consent revoked. Bugtri loses access to all mailboxes in the tenant.
From the mailbox userGoogle: myaccount.google.com > Security > Third-party apps. Microsoft: myapps.microsoft.com > Bugtri > Revoke.Individual user's OAuth token revoked.

Once revoked, Bugtri immediately loses access. No further emails are read or processed. Existing triage data remains in Bugtri subject to the configured retention policy and can be purged on request.

Further Information

  • Trust Centre - security architecture, compliance, and data controls
  • Security Policy - encryption, authentication, infrastructure, and incident response
  • Privacy Policy - data collection, processing, retention, and your rights
  • Terms of Use - service terms including AI disclaimers and liability
  • Contact Us - for technical questions or to request a security review