8月21日| 英语翻译 | 写一片文章，才是自己的。

翻译方法：先是自己看，因为不看直接翻译等于没有翻译，翻译完成之后会有很多读都都不通顺的，使用翻译来帮助自己先达到第一阶梯，为期十五天，这一次也是为了断绝前面的萎靡生活与转换期，需要找回自己原来的感觉吧也是，正好可以做成一个英语专栏。

前言：写出文章，才算是自己的。

[========]
翻译1：

 CSSPs develop, nurture, and continually 
assess the skills, experience, and performance 
of their community to match security researchers, 
pen testers, and ethical hackers to the testing 
opportunity best suited to their expertise. Once 
matched, CSSPs also ensure fluid vulnerability 
submission, noise reduction, and integration 
into software development lifecycles for rapid 
remediation.

CSSPs开发、培养并持续评估其社区的技能、经验和表现，以将安全研究人员、笔测试人员和道德黑客匹配到最适合他们专业知识的测试机会。一旦匹配，CSSPs还可确保提交易受攻击性、降低噪音，并集成到软件开发生命周期中，以实现快速补救。

翻译2：

"By adding the power of the talented researcher community to our 
Product Security program, we’ve learned a lot about how people 
outside the company think about our products, additional scenarios 
where products can be at risk and what else we could do to protect our 
products. We’ve used this information to put a sharper focus on the areas 
of greatest risk, which has been invaluable to us as we scale."
COLEEN COOLIDGE, SEGMENT

通过将有才华的研究人员社区的力量加入到我们的产品安全计划中，我们了解了很多关于公司以外的人如何看待我们的产品、产品可能面临风险的其他情况以及我们可以做些什么来保护我们的产品。我们利用这些信息来更好地关注风险最大的领域，这对我们的扩展非常重要。
科琳·柯立芝，片段

翻译3：

Previously, the term “bug bounty” was used 
synonymously with the term “crowdsourced 
security.” With the arrival of additional ways to 
leverage the crowd, like pen testing and attack 
surface management, the two terms have now 
been decoupled. Crowdsourced security is a 
resourcing model, while bug bounty represents a 
particular way of incentivizing and engaging those 
resources. Bug bounties leverage a competitive 
model that encourages testing through potential 
for reward. If security researchers are the first 
to find a vulnerability within the scope defined, 
they are rewarded with monetary payments 
dependent on validity and impact.

以前，术语“bug bounty”与术语“众包安全”是同义词。随着利用人群的其他方法的出现，如pen测试和攻击面管理，这两个术语现在已经分离了。众包安全是一种资源配置模式，而bug bounty代表了激励和利用这些资源的一种特殊方式。Bug奖金利用了一种竞争性模型，这种模型鼓励通过潜在奖励进行测试。如果安全研究人员在定义的范围内第一个发现漏洞，他们将根据有效性和影响获得金钱奖励。

翻译4：

For example, 
if a security researcher uncovered a cross-site 
 scripting vulnerability, but the same vulnerability 
was already noted by the customer’s internal 
security team, or if it was uncovered by another 
researcher first, the individual is not rewarded, nor 
are they compensated for their time. In another 
example, two researchers may uncover different 
types of server security misconfigurations. If one 
is email spoofing and the other is use of default 
credentials, both are paid, but the latter would 
command a higher rate due to greater potential 
business impact. This model greatly reduces 
the average ‘cost per vulnerability’ versus other 
security solutions, and ensures that customers are 
truly only paying for value received.

例如，如果一名安全研究人员发现了一个跨站点脚本漏洞，但客户的内部安全团队已经注意到了相同的漏洞，或者如果该漏洞是由另一名研究人员首先发现的，则该人员不会得到奖励，也不会得到时间补偿。在另一个例子中，两位研究人员可能会发现不同类型的服务器安全错误配置。如果一个是电子邮件欺骗，另一个是使用默认凭证，两者都是付费的，但是后者由于更大的潜在业务影响而需要更高的费率。与其他安全解决方案相比，该模型大大降低了平均“每个漏洞的成本”，并确保客户真正只为获得的价值付费。

翻译5:

1.Scope definition：
What assets need testing? Is it a single web application? Are there related 
mobile versions? Is there an API? Would you prefer to test in development or production? Are 
credentials required? All of these questions must be answered before any program can be 
initiated, and the sooner you resolve these, the sooner your program can launch.

哪些资产需要测试？是单个web应用吗？有相关的手机版本吗？有API吗？您更喜欢在开发或生产中进行测试？需要凭证吗？在启动任何计划之前，必须回答所有这些问题，你越早解决这些问题，你的计划就能越早启动。

翻译6：

2.Researcher engagement：
Some platforms match resources based on skill, interest, ability, 
performance, and many other nuanced factors that influence program success. Others retain high-
caliber full-time employees, which in turn makes allocation more dependent on availability. When 
evaluating a potential CSSP, it’s important to dig into their matching methodology, to ensure it 
aligns with goals and expectations.

一些平台根据技能、兴趣、能力、表现和许多其他影响项目成功的细微因素来匹配资源。其他公司保留了高素质的全职员工，这反过来使得分配更加依赖于可用性。在评估潜在的CSSP时，深入了解他们的匹配方法很重要，以确保它符合目标和期望。

翻译7：

3.Vulnerability submission：
Depending on whether the platform offers triage services, incoming 
submissions may be validated and prioritized according to severity. Some platforms offer this as 
a separate add-on cost, while others bake it into every deployment by default. In choosing which 
is right for you, be aware that even “invite-only” mode bug bounties result in significantly more 
vulnerabilities than you may be used to. Great triage services don’t just eliminate noise, they also 
help prioritize submissions and help direct remediation.

根据平台是否提供分流服务，可能会根据严重性对提交的内容进行验证和优先排序。一些平台将此作为单独的附加成本提供，而其他平台则默认将其包含在每个部署中。在选择哪一个适合你的时候，请注意，即使是“仅邀请”模式的漏洞奖励也会导致比你可能习惯的更多的漏洞。出色的分类服务不仅能消除噪音，还能帮助确定提交的优先级，并帮助指导补救措施。

翻译8：

4.SDLC integration
Most serious CSSPs will offer integrations into popular developer workflow 
tools like JIRA, GitHub, ServiceNow, and IBM Resilient. So it’s important to ask whether the 
integration is robust enough to meet your team’s most common use cases. In addition to these 
common developer tools, integrations into Slack and Trello can also improve communication and 
alerting workflows, while integrations with vulnerability management tools like Qualys can help 
contextualize and prioritize vulnerabilities from all of your discovery solutions.

大多数严肃的CSSPs将集成到流行的开发人员工作流工具中，如JIRA、GitHub、ServiceNow和IBM Resilient。因此，询问集成是否足够健壮以满足团队最常见的用例是很重要的。除了这些常见的开发人员工具之外，集成到Slack和Trello中还可以改善通信和警报工作流，而与漏洞管理工具(如Qualys)的集成可以帮助您将所有发现解决方案中的漏洞进行上下文化和优先级排序。

翻译9：

5.Reward payment：
Valid, non-duplicate, and in-scope vulnerabilities are rewarded from a set-
aside sum of money known as the “bounty pool.” By allowing an intermediary to handle Crowd 
payments, organizations avoid the headaches of individual tax procedures that differ by state and 
country. Some CSSPs will take a cut of every bounty to manage this process, while others ensure 
all of this money goes directly to the researcher.

有效的、非重复的和范围内的漏洞将从一笔被称为“奖金池”的预留资金中获得奖励通过允许中介机构处理群体支付，组织避免了因州和国家不同而带来的个人纳税程序的麻烦。一些CSSPs将从每一笔奖金中抽取一部分来管理这个过程，而其他CSSPs则确保所有这些钱都直接流向研究人员。

今天写得太多了，所以不能再看了，一是害怕消耗了兴趣和精力，二是在完成70%停止原则。